Analysis
-
max time kernel
151s -
max time network
21s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
31-01-2021 14:48
Static task
static1
Behavioral task
behavioral1
Sample
94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
Resource
win10v20201028
General
-
Target
94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe
-
Size
197KB
-
MD5
039ce25d495fa555ae1c210592b564d0
-
SHA1
6684d0ffde174052a03931981262dc0a7cb9891c
-
SHA256
94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab
-
SHA512
c2be8d6b80e57339957f370b4ac31bd03140f9a9ed4865926eb6d7e5a69d3510b046930c1933d38629b4c3bcae007b6cf5e6140463ab6e064820cdd91bbd46bb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
edta.exepid process 328 edta.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Awym\edta.exe upx C:\Users\Admin\AppData\Roaming\Awym\edta.exe upx C:\Users\Admin\AppData\Roaming\Awym\edta.exe upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exepid process 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
edta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\Currentversion\Run edta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8312DD2C-C7DA-6404-07BE-57994C93C992} = "C:\\Users\\Admin\\AppData\\Roaming\\Awym\\edta.exe" edta.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exeedta.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum edta.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 edta.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exedescription pid process target process PID 1716 set thread context of 432 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe cmd.exe -
Processes:
94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Privacy 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
edta.exepid process 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe 328 edta.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exedescription pid process Token: SeSecurityPrivilege 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exeedta.exedescription pid process target process PID 1716 wrote to memory of 328 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe edta.exe PID 1716 wrote to memory of 328 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe edta.exe PID 1716 wrote to memory of 328 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe edta.exe PID 1716 wrote to memory of 328 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe edta.exe PID 328 wrote to memory of 1128 328 edta.exe taskhost.exe PID 328 wrote to memory of 1128 328 edta.exe taskhost.exe PID 328 wrote to memory of 1128 328 edta.exe taskhost.exe PID 328 wrote to memory of 1128 328 edta.exe taskhost.exe PID 328 wrote to memory of 1128 328 edta.exe taskhost.exe PID 328 wrote to memory of 1228 328 edta.exe Dwm.exe PID 328 wrote to memory of 1228 328 edta.exe Dwm.exe PID 328 wrote to memory of 1228 328 edta.exe Dwm.exe PID 328 wrote to memory of 1228 328 edta.exe Dwm.exe PID 328 wrote to memory of 1228 328 edta.exe Dwm.exe PID 328 wrote to memory of 1268 328 edta.exe Explorer.EXE PID 328 wrote to memory of 1268 328 edta.exe Explorer.EXE PID 328 wrote to memory of 1268 328 edta.exe Explorer.EXE PID 328 wrote to memory of 1268 328 edta.exe Explorer.EXE PID 328 wrote to memory of 1268 328 edta.exe Explorer.EXE PID 328 wrote to memory of 1716 328 edta.exe 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe PID 328 wrote to memory of 1716 328 edta.exe 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe PID 328 wrote to memory of 1716 328 edta.exe 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe PID 328 wrote to memory of 1716 328 edta.exe 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe PID 328 wrote to memory of 1716 328 edta.exe 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe PID 1716 wrote to memory of 432 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe cmd.exe PID 1716 wrote to memory of 432 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe cmd.exe PID 1716 wrote to memory of 432 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe cmd.exe PID 1716 wrote to memory of 432 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe cmd.exe PID 1716 wrote to memory of 432 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe cmd.exe PID 1716 wrote to memory of 432 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe cmd.exe PID 1716 wrote to memory of 432 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe cmd.exe PID 1716 wrote to memory of 432 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe cmd.exe PID 1716 wrote to memory of 432 1716 94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe cmd.exe PID 328 wrote to memory of 608 328 edta.exe DllHost.exe PID 328 wrote to memory of 608 328 edta.exe DllHost.exe PID 328 wrote to memory of 608 328 edta.exe DllHost.exe PID 328 wrote to memory of 608 328 edta.exe DllHost.exe PID 328 wrote to memory of 608 328 edta.exe DllHost.exe PID 328 wrote to memory of 1528 328 edta.exe DllHost.exe PID 328 wrote to memory of 1528 328 edta.exe DllHost.exe PID 328 wrote to memory of 1528 328 edta.exe DllHost.exe PID 328 wrote to memory of 1528 328 edta.exe DllHost.exe PID 328 wrote to memory of 1528 328 edta.exe DllHost.exe PID 328 wrote to memory of 1488 328 edta.exe DllHost.exe PID 328 wrote to memory of 1488 328 edta.exe DllHost.exe PID 328 wrote to memory of 1488 328 edta.exe DllHost.exe PID 328 wrote to memory of 1488 328 edta.exe DllHost.exe PID 328 wrote to memory of 1488 328 edta.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe"C:\Users\Admin\AppData\Local\Temp\94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Awym\edta.exe"C:\Users\Admin\AppData\Roaming\Awym\edta.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp205d5cba.bat"3⤵
- Deletes itself
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp205d5cba.batMD5
beb9e1f9b54ce894cb86d7f722713be6
SHA17973e493ef79b56ad9e42d001b4cfc68c822bfae
SHA2561c7785d6c956fdf06b19a09d18e46d0c61be733618938399bfd30308cf859420
SHA512c1201ae2736494452796cfb5c2b4424eaaf5e73f4769a833b8bd286d77963b35e5b44ed63089253318260ae18e8c699189550b8ab62a29494bbbbceaa0212f2b
-
C:\Users\Admin\AppData\Roaming\Awym\edta.exeMD5
cb163d91c95f087fed58eae663fc9c37
SHA1473c13d7f76aab2be69b33411f72f1e3d9461747
SHA256363d46c02e11a307f9740dbc994f30e287357e94369c0e0bc27ca0cd991e884f
SHA512981e71e40e45a801a39416da9d3f486d5c984cd6da6e404b6edd67bf54444e22545e029bbd2d93112156e3d3bc83dd32b5bf3d8cc2fb4ba8d1bc2666fe7f9492
-
C:\Users\Admin\AppData\Roaming\Awym\edta.exeMD5
cb163d91c95f087fed58eae663fc9c37
SHA1473c13d7f76aab2be69b33411f72f1e3d9461747
SHA256363d46c02e11a307f9740dbc994f30e287357e94369c0e0bc27ca0cd991e884f
SHA512981e71e40e45a801a39416da9d3f486d5c984cd6da6e404b6edd67bf54444e22545e029bbd2d93112156e3d3bc83dd32b5bf3d8cc2fb4ba8d1bc2666fe7f9492
-
\Users\Admin\AppData\Roaming\Awym\edta.exeMD5
cb163d91c95f087fed58eae663fc9c37
SHA1473c13d7f76aab2be69b33411f72f1e3d9461747
SHA256363d46c02e11a307f9740dbc994f30e287357e94369c0e0bc27ca0cd991e884f
SHA512981e71e40e45a801a39416da9d3f486d5c984cd6da6e404b6edd67bf54444e22545e029bbd2d93112156e3d3bc83dd32b5bf3d8cc2fb4ba8d1bc2666fe7f9492
-
memory/328-5-0x0000000000000000-mapping.dmp
-
memory/432-10-0x0000000000050000-0x0000000000076000-memory.dmpFilesize
152KB
-
memory/432-11-0x0000000000064540-mapping.dmp
-
memory/432-18-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1528-19-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB
-
memory/1716-2-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/1716-9-0x0000000000270000-0x0000000000296000-memory.dmpFilesize
152KB
-
memory/1716-3-0x00000000001C0000-0x00000000001D5000-memory.dmpFilesize
84KB
-
memory/1716-15-0x0000000000270000-0x0000000000292000-memory.dmpFilesize
136KB
-
memory/1716-16-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB