Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8Analysis
-
max time kernel
1801s -
max time network
391s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-12-2020 14:18
Static task
static1
Behavioral task
behavioral1
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
General
-
Target
Downloads3/finfisher.1.bin.exe
-
Size
771KB
-
MD5
074919f13d07cd6ce92bb0738971afc7
-
SHA1
9f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
-
SHA256
f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
-
SHA512
cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
finfisher.1.bin.exefinfisher.1.bin.exefinfisher.1.bin.exe_svchost.exepid process 2348 finfisher.1.bin.exe 1364 finfisher.1.bin.exe 3432 finfisher.1.bin.exe_ 2236 svchost.exe -
Deletes itself 1 IoCs
Processes:
finfisher.1.bin.exepid process 2348 finfisher.1.bin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
finfisher.1.bin.exedescription pid process target process PID 3276 set thread context of 2348 3276 finfisher.1.bin.exe finfisher.1.bin.exe -
Drops file in Windows directory 18 IoCs
Processes:
finfisher.1.bin.exe_description ioc process File opened for modification C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\80C.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\12C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\11.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\11.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\11C.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\02.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\02C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\02.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\7F.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\80C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\12.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\11C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\7FC.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\7FC.dat finfisher.1.bin.exe_ File opened for modification C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\12.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\12C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\02C.dat finfisher.1.bin.exe_ File created C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\7F.dat finfisher.1.bin.exe_ -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1304 540 WerFault.exe winlogon.exe -
Suspicious behavior: EnumeratesProcesses 6725 IoCs
Processes:
finfisher.1.bin.exe_svchost.exeWerFault.exepid process 3432 finfisher.1.bin.exe_ 3432 finfisher.1.bin.exe_ 2236 svchost.exe 2236 svchost.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe -
Suspicious behavior: LoadsDriver 468814 IoCs
Processes:
pid process 2648 2712 3960 1648 1808 2032 1656 3096 3728 3572 732 3892 2760 3964 2120 1172 2188 1332 3176 3312 3604 3592 3876 1484 1392 3764 1508 1444 2312 596 2072 544 2068 3932 2876 1568 3192 2452 980 352 1064 1132 696 3808 976 772 780 716 2776 2432 3024 2836 2792 2392 1208 2192 2744 2664 2260 2592 196 3980 212 1124 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
finfisher.1.bin.exepid process 2348 finfisher.1.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
finfisher.1.bin.exe_WerFault.exedescription pid process Token: SeBackupPrivilege 3432 finfisher.1.bin.exe_ Token: SeSecurityPrivilege 3432 finfisher.1.bin.exe_ Token: SeDebugPrivilege 1304 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
finfisher.1.bin.exefinfisher.1.bin.exefinfisher.1.bin.exesvchost.exedescription pid process target process PID 3276 wrote to memory of 2348 3276 finfisher.1.bin.exe finfisher.1.bin.exe PID 3276 wrote to memory of 2348 3276 finfisher.1.bin.exe finfisher.1.bin.exe PID 3276 wrote to memory of 2348 3276 finfisher.1.bin.exe finfisher.1.bin.exe PID 3276 wrote to memory of 2348 3276 finfisher.1.bin.exe finfisher.1.bin.exe PID 3276 wrote to memory of 2348 3276 finfisher.1.bin.exe finfisher.1.bin.exe PID 2348 wrote to memory of 1364 2348 finfisher.1.bin.exe finfisher.1.bin.exe PID 2348 wrote to memory of 1364 2348 finfisher.1.bin.exe finfisher.1.bin.exe PID 2348 wrote to memory of 1364 2348 finfisher.1.bin.exe finfisher.1.bin.exe PID 1364 wrote to memory of 3432 1364 finfisher.1.bin.exe finfisher.1.bin.exe_ PID 1364 wrote to memory of 3432 1364 finfisher.1.bin.exe finfisher.1.bin.exe_ PID 2348 wrote to memory of 3724 2348 finfisher.1.bin.exe explorer.exe PID 2348 wrote to memory of 3724 2348 finfisher.1.bin.exe explorer.exe PID 2348 wrote to memory of 3724 2348 finfisher.1.bin.exe explorer.exe PID 2236 wrote to memory of 540 2236 svchost.exe winlogon.exe PID 2236 wrote to memory of 540 2236 svchost.exe winlogon.exe PID 2236 wrote to memory of 540 2236 svchost.exe winlogon.exe PID 2236 wrote to memory of 3028 2236 svchost.exe Explorer.EXE PID 2236 wrote to memory of 3028 2236 svchost.exe Explorer.EXE
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 540 -s 12642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Downloads3\finfisher.1.bin.exe"C:\Users\Admin\AppData\Local\Temp\Downloads3\finfisher.1.bin.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TMPB6D001F0\finfisher.1.bin.exe"C:\Users\Admin\AppData\Local\Temp\\TMPB6D001F0\finfisher.1.bin.exe"3⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe"C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe_C:\Users\Admin\AppData\Local\Temp\\finfisher.1.bin.exe_5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\svchost.exeC:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\svchost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TMPB6D001F0\finfisher.1.bin.exeMD5
074919f13d07cd6ce92bb0738971afc7
SHA19f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
SHA256f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
SHA512cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749
-
C:\Users\Admin\AppData\Local\Temp\TMPB6D001F0\finfisher.1.bin.exeMD5
074919f13d07cd6ce92bb0738971afc7
SHA19f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
SHA256f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
SHA512cdd87c636df500053ec1b410bc467e09186df953c1e1bcb1dc9a8d4bba82df486f59f0bd9942051f84301b05201952cb137b8364bf93d0c066822eb065b9b749
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exeMD5
837c8e15a154956194219ddf6e26cd09
SHA11f46a8f7799a48512eb1497ffcae35cbb20a67d5
SHA256f18afbad0230af8c7ec7b4c1d25544f3d3445a825861a1de18432de5b4586c7b
SHA51252ea06a084c5f0a87024a9e34cd9aac4ba42285b90e555e6c6eaea7e09cfe259165f7f2019160ee7f4a4e4d02b31acab307ab1bc34dd43b549532041b0299064
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exeMD5
837c8e15a154956194219ddf6e26cd09
SHA11f46a8f7799a48512eb1497ffcae35cbb20a67d5
SHA256f18afbad0230af8c7ec7b4c1d25544f3d3445a825861a1de18432de5b4586c7b
SHA51252ea06a084c5f0a87024a9e34cd9aac4ba42285b90e555e6c6eaea7e09cfe259165f7f2019160ee7f4a4e4d02b31acab307ab1bc34dd43b549532041b0299064
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe_MD5
4f08b7808f785005179bd799d7f02a12
SHA1130212336fe769ef2c82f19fd17f61b69f7d6ecd
SHA256fa5ddd5f044ab5a3817a2a31f3d798d411153da73bbf0d205736283944513e56
SHA512bbf7356450780268beb3a26a4bc03ba78b71ffd00723b6b4c68240e481015e975d5371d20c32075cf0ab4b8bf5862b07edbea8eb0b88b850d8b9bdbfd1a55638
-
C:\Users\Admin\AppData\Local\Temp\finfisher.1.bin.exe_MD5
4f08b7808f785005179bd799d7f02a12
SHA1130212336fe769ef2c82f19fd17f61b69f7d6ecd
SHA256fa5ddd5f044ab5a3817a2a31f3d798d411153da73bbf0d205736283944513e56
SHA512bbf7356450780268beb3a26a4bc03ba78b71ffd00723b6b4c68240e481015e975d5371d20c32075cf0ab4b8bf5862b07edbea8eb0b88b850d8b9bdbfd1a55638
-
C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\svchost.exeMD5
820b2fa51f6f50a94a295bfc8ac381ec
SHA1b23a3b57c8edb6637cc1fc68996929c0151044dd
SHA2561ef2012a955f246880d49731a831ed524d8f73f8ff05da5389ae8056f7805136
SHA5126d84bffb163fbe1470bd736390485f2e2dee44be2240ede789f5d9d54fc63ea9ed84272fab1c65397a38a9700749b74cd4c3fc9dc25517a9a9343fc6ca7c99b7
-
C:\Windows\Installer\{88DC4147-C6DD-47E6-9097-E0C9BA967FA0}\svchost.exeMD5
820b2fa51f6f50a94a295bfc8ac381ec
SHA1b23a3b57c8edb6637cc1fc68996929c0151044dd
SHA2561ef2012a955f246880d49731a831ed524d8f73f8ff05da5389ae8056f7805136
SHA5126d84bffb163fbe1470bd736390485f2e2dee44be2240ede789f5d9d54fc63ea9ed84272fab1c65397a38a9700749b74cd4c3fc9dc25517a9a9343fc6ca7c99b7
-
memory/1304-14-0x000001BFA6010000-0x000001BFA6011000-memory.dmpFilesize
4KB
-
memory/1304-17-0x000001BFA6E80000-0x000001BFA6E81000-memory.dmpFilesize
4KB
-
memory/1304-15-0x000001BFA6010000-0x000001BFA6011000-memory.dmpFilesize
4KB
-
memory/1364-5-0x0000000000000000-mapping.dmp
-
memory/2348-2-0x0000000000401E1F-mapping.dmp
-
memory/3432-8-0x0000000000000000-mapping.dmp
-
memory/3724-13-0x0000000000000000-mapping.dmp