Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-05-2021 23:03
Static task
static1
Behavioral task
behavioral1
Sample
a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe
Resource
win10v20210408
General
-
Target
a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe
-
Size
98KB
-
MD5
cd1a70fc9e006494a67c2e70981651c9
-
SHA1
1dee7ceb1f8e915f7a62736eb60e1ef84e4c2933
-
SHA256
a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898
-
SHA512
50c34689b8249999480fa2889e84f06f5bf2683bef246ce5f898f907e92d9eb208744cba15a599a9a531b48ef987ffcd486909716d0fb056f02ef6431e067c37
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winver.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run winver.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\F00333B2 = "C:\\Users\\Admin\\AppData\\Roaming\\F00333B2\\bin.exe" winver.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exedescription pid process target process PID 900 set thread context of 4044 900 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2288 3744 WerFault.exe DllHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exewinver.exeWerFault.exepid process 900 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe 900 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe 4032 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2568 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
WerFault.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2288 WerFault.exe Token: SeShutdownPrivilege 2568 Explorer.EXE Token: SeCreatePagefilePrivilege 2568 Explorer.EXE Token: SeShutdownPrivilege 2568 Explorer.EXE Token: SeCreatePagefilePrivilege 2568 Explorer.EXE Token: SeShutdownPrivilege 2568 Explorer.EXE Token: SeCreatePagefilePrivilege 2568 Explorer.EXE Token: SeShutdownPrivilege 2568 Explorer.EXE Token: SeCreatePagefilePrivilege 2568 Explorer.EXE Token: SeShutdownPrivilege 2568 Explorer.EXE Token: SeCreatePagefilePrivilege 2568 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 4032 winver.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exepid process 900 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe 900 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2568 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exea9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exewinver.exedescription pid process target process PID 900 wrote to memory of 4044 900 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe PID 900 wrote to memory of 4044 900 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe PID 900 wrote to memory of 4044 900 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe PID 900 wrote to memory of 4044 900 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe PID 900 wrote to memory of 4044 900 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe PID 900 wrote to memory of 4044 900 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe PID 900 wrote to memory of 4044 900 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe PID 4044 wrote to memory of 4032 4044 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe winver.exe PID 4044 wrote to memory of 4032 4044 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe winver.exe PID 4044 wrote to memory of 4032 4044 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe winver.exe PID 4044 wrote to memory of 4032 4044 a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe winver.exe PID 4032 wrote to memory of 2568 4032 winver.exe Explorer.EXE PID 4032 wrote to memory of 2336 4032 winver.exe sihost.exe PID 4032 wrote to memory of 2356 4032 winver.exe svchost.exe PID 4032 wrote to memory of 2460 4032 winver.exe taskhostw.exe PID 4032 wrote to memory of 2568 4032 winver.exe Explorer.EXE PID 4032 wrote to memory of 3248 4032 winver.exe ShellExperienceHost.exe PID 4032 wrote to memory of 3256 4032 winver.exe SearchUI.exe PID 4032 wrote to memory of 3484 4032 winver.exe RuntimeBroker.exe PID 4032 wrote to memory of 3744 4032 winver.exe DllHost.exe PID 4032 wrote to memory of 2272 4032 winver.exe DllHost.exe PID 4032 wrote to memory of 1448 4032 winver.exe PID 4032 wrote to memory of 2288 4032 winver.exe WerFault.exe PID 4032 wrote to memory of 3956 4032 winver.exe slui.exe
Processes
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵PID:3248
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3744 -s 8362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3484
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵PID:3256
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe"C:\Users\Admin\AppData\Local\Temp\a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\Temp\a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exeC:\Users\Admin\AppData\Local\Temp\a9eec798087fd2cbb1968044963f675a480cf5f6867dfddd7108b5b073c84898.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4032
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2460
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2356
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:2336
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2272
-
C:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -Embedding1⤵PID:3956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/900-117-0x00000000005D0000-0x00000000005D4000-memory.dmpFilesize
16KB
-
memory/2272-127-0x0000000000590000-0x0000000000596000-memory.dmpFilesize
24KB
-
memory/2288-130-0x00007FFBBC480000-0x00007FFBBC481000-memory.dmpFilesize
4KB
-
memory/2288-128-0x0000000000AC0000-0x0000000000AC6000-memory.dmpFilesize
24KB
-
memory/2288-129-0x00007FFBBC470000-0x00007FFBBC471000-memory.dmpFilesize
4KB
-
memory/2336-123-0x0000000000F00000-0x0000000000F06000-memory.dmpFilesize
24KB
-
memory/2356-125-0x0000000000AF0000-0x0000000000AF6000-memory.dmpFilesize
24KB
-
memory/2460-124-0x00000000004A0000-0x00000000004A6000-memory.dmpFilesize
24KB
-
memory/2568-122-0x0000000000CC0000-0x0000000000CC6000-memory.dmpFilesize
24KB
-
memory/2568-121-0x0000000000D90000-0x0000000000D96000-memory.dmpFilesize
24KB
-
memory/2568-131-0x00007FFBBC490000-0x00007FFBBC491000-memory.dmpFilesize
4KB
-
memory/3484-126-0x00000000000D0000-0x00000000000D6000-memory.dmpFilesize
24KB
-
memory/3956-132-0x00000000004F0000-0x00000000004F6000-memory.dmpFilesize
24KB
-
memory/4032-120-0x0000000003200000-0x000000000334A000-memory.dmpFilesize
1.3MB
-
memory/4032-116-0x0000000000000000-mapping.dmp
-
memory/4044-115-0x0000000000401000-mapping.dmp
-
memory/4044-119-0x0000000001700000-0x0000000002100000-memory.dmpFilesize
10.0MB
-
memory/4044-118-0x0000000000400000-0x0000000000404400-memory.dmpFilesize
17KB
-
memory/4044-114-0x0000000000400000-0x000000000149A000-memory.dmpFilesize
16.6MB