Analysis
-
max time kernel
37s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 13:05
General
-
Target
11.exe
-
Size
1.4MB
-
MD5
1fc1c860e86a8fbc2021d2567d62f703
-
SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3
-
SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
-
SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 5 IoCs
-
Modifies data under HKEY_USERS 24 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Block2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Filter12⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=FilteraAtion1 action=block2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion12⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Block assign=y2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\11.exe"2⤵
- Deletes itself
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k GraphicsPerf_SvcsGroup1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Cursors\wudfhosts.exeC:\Windows\Cursors\wudfhosts.exe -o xmr.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Cursors\WUDFhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
C:\Windows\Cursors\wudfhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
\??\c:\windows\help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
\Windows\Cursors\WUDFhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
\Windows\Help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
memory/284-72-0x0000000000000000-mapping.dmp
-
memory/332-84-0x0000000000000000-mapping.dmp
-
memory/340-80-0x0000000000000000-mapping.dmp
-
memory/396-87-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/396-89-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/396-93-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/396-91-0x0000000010072B6D-mapping.dmp
-
memory/396-88-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/396-86-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/484-66-0x0000000000000000-mapping.dmp
-
memory/1156-74-0x0000000000000000-mapping.dmp
-
memory/1472-60-0x0000000000000000-mapping.dmp
-
memory/1628-70-0x0000000000000000-mapping.dmp
-
memory/1748-64-0x0000000000000000-mapping.dmp
-
memory/1800-78-0x0000000000000000-mapping.dmp
-
memory/1904-68-0x0000000000000000-mapping.dmp
-
memory/1968-62-0x0000000000000000-mapping.dmp
-
memory/1984-76-0x0000000000000000-mapping.dmp
-
memory/1992-96-0x0000000000000000-mapping.dmp
-
memory/1992-98-0x00000000000F0000-0x0000000000100000-memory.dmpFilesize
64KB
-
memory/1992-99-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/1992-100-0x0000000000230000-0x0000000000240000-memory.dmpFilesize
64KB
-
memory/1992-101-0x0000000000240000-0x0000000000250000-memory.dmpFilesize
64KB
-
memory/1996-59-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB