Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09-05-2021 16:48
Static task
static1
Behavioral task
behavioral1
Sample
8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
Resource
win10v20210408
General
-
Target
8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe
-
Size
160KB
-
MD5
bb7975b2ba7ca271e5e75628c4f648ac
-
SHA1
f9741d1c73c53c736fb19e51123f3325db5e9b32
-
SHA256
8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8
-
SHA512
3e73a69972d65dceeb44e01015fd4e3eb5abfce9d0029a2ce54d29248071690337e872de84a396e86291bc12f33ef7769b15f1c257dc87694dfaba21ee5f51bd
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winver.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run winver.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\09B9844E = "C:\\Users\\Admin\\AppData\\Roaming\\09B9844E\\bin.exe" winver.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exedescription pid process target process PID 656 set thread context of 3916 656 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2372 3876 WerFault.exe DllHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exeWerFault.exepid process 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe 3588 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3092 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
WerFault.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2372 WerFault.exe Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 3588 winver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exepid process 656 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3092 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exewinver.exedescription pid process target process PID 656 wrote to memory of 3916 656 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe PID 656 wrote to memory of 3916 656 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe PID 656 wrote to memory of 3916 656 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe PID 656 wrote to memory of 3916 656 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe PID 656 wrote to memory of 3916 656 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe PID 656 wrote to memory of 3916 656 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe PID 656 wrote to memory of 3916 656 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe PID 3916 wrote to memory of 3588 3916 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe winver.exe PID 3916 wrote to memory of 3588 3916 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe winver.exe PID 3916 wrote to memory of 3588 3916 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe winver.exe PID 3916 wrote to memory of 3588 3916 8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe winver.exe PID 3588 wrote to memory of 3092 3588 winver.exe Explorer.EXE PID 3588 wrote to memory of 2880 3588 winver.exe sihost.exe PID 3588 wrote to memory of 2896 3588 winver.exe svchost.exe PID 3588 wrote to memory of 2972 3588 winver.exe taskhostw.exe PID 3588 wrote to memory of 3092 3588 winver.exe Explorer.EXE PID 3588 wrote to memory of 3348 3588 winver.exe ShellExperienceHost.exe PID 3588 wrote to memory of 3360 3588 winver.exe SearchUI.exe PID 3588 wrote to memory of 3604 3588 winver.exe RuntimeBroker.exe PID 3588 wrote to memory of 3876 3588 winver.exe DllHost.exe PID 3588 wrote to memory of 3568 3588 winver.exe DllHost.exe PID 3588 wrote to memory of 200 3588 winver.exe PID 3588 wrote to memory of 2372 3588 winver.exe WerFault.exe PID 3588 wrote to memory of 2112 3588 winver.exe slui.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe"C:\Users\Admin\AppData\Local\Temp\8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe"C:\Users\Admin\AppData\Local\Temp\8ee8f7beee006e3a8490466b1c92649bdac5f01ebb278fe9481e87f4f865d0a8.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3876 -s 8642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2112-132-0x00000000005F0000-0x00000000005F7000-memory.dmpFilesize
28KB
-
memory/2372-130-0x00007FFDDF9D0000-0x00007FFDDF9D1000-memory.dmpFilesize
4KB
-
memory/2372-129-0x0000000000F80000-0x0000000000F87000-memory.dmpFilesize
28KB
-
memory/2880-123-0x0000000000590000-0x0000000000597000-memory.dmpFilesize
28KB
-
memory/2896-125-0x0000000000B70000-0x0000000000B77000-memory.dmpFilesize
28KB
-
memory/2972-126-0x00000000009A0000-0x00000000009A7000-memory.dmpFilesize
28KB
-
memory/3092-124-0x0000000000A30000-0x0000000000A37000-memory.dmpFilesize
28KB
-
memory/3092-122-0x0000000000A20000-0x0000000000A27000-memory.dmpFilesize
28KB
-
memory/3092-131-0x00007FFDDF9E0000-0x00007FFDDF9E1000-memory.dmpFilesize
4KB
-
memory/3568-128-0x0000000000910000-0x0000000000917000-memory.dmpFilesize
28KB
-
memory/3588-121-0x0000000001190000-0x0000000001197000-memory.dmpFilesize
28KB
-
memory/3588-118-0x0000000000000000-mapping.dmp
-
memory/3604-127-0x0000000000EC0000-0x0000000000EC7000-memory.dmpFilesize
28KB
-
memory/3916-116-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/3916-120-0x00000000005A0000-0x00000000006EA000-memory.dmpFilesize
1.3MB
-
memory/3916-117-0x0000000000401000-mapping.dmp