Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
09-05-2021 00:16
Static task
static1
Behavioral task
behavioral1
Sample
671eff9c2d45ef1ae474c5580138aca9fd58251905f301808a4e30039fd21bf8.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
671eff9c2d45ef1ae474c5580138aca9fd58251905f301808a4e30039fd21bf8.exe
Resource
win10v20210410
General
-
Target
671eff9c2d45ef1ae474c5580138aca9fd58251905f301808a4e30039fd21bf8.exe
-
Size
69KB
-
MD5
233c1bf3b2d03c537c84d36307bb63fd
-
SHA1
ede614c1b886b8d6918298776cc0ac4669a46131
-
SHA256
671eff9c2d45ef1ae474c5580138aca9fd58251905f301808a4e30039fd21bf8
-
SHA512
4aedb6a00460ad31967672779f8bffd5936391eea6266f68e44e202c8a4cbf5d4c8fec532bbb798c69c9d1128b0fd3edfdfa1ea2736720966c2b1e2cac54f637
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\15BAB5BE = "C:\\Users\\Admin\\AppData\\Roaming\\15BAB5BE\\bin.exe" winver.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run winver.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3880 3784 WerFault.exe DllHost.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exeWerFault.exepid process 2564 winver.exe 2564 winver.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe 2564 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3060 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Explorer.EXEWerFault.exedescription pid process Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeDebugPrivilege 3880 WerFault.exe Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
winver.exeExplorer.EXEpid process 2564 winver.exe 3060 Explorer.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 3060 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3060 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
671eff9c2d45ef1ae474c5580138aca9fd58251905f301808a4e30039fd21bf8.exewinver.exedescription pid process target process PID 3736 wrote to memory of 2564 3736 671eff9c2d45ef1ae474c5580138aca9fd58251905f301808a4e30039fd21bf8.exe winver.exe PID 3736 wrote to memory of 2564 3736 671eff9c2d45ef1ae474c5580138aca9fd58251905f301808a4e30039fd21bf8.exe winver.exe PID 3736 wrote to memory of 2564 3736 671eff9c2d45ef1ae474c5580138aca9fd58251905f301808a4e30039fd21bf8.exe winver.exe PID 3736 wrote to memory of 2564 3736 671eff9c2d45ef1ae474c5580138aca9fd58251905f301808a4e30039fd21bf8.exe winver.exe PID 2564 wrote to memory of 3060 2564 winver.exe Explorer.EXE PID 2564 wrote to memory of 2372 2564 winver.exe sihost.exe PID 2564 wrote to memory of 2392 2564 winver.exe svchost.exe PID 2564 wrote to memory of 2464 2564 winver.exe taskhostw.exe PID 2564 wrote to memory of 3060 2564 winver.exe Explorer.EXE PID 2564 wrote to memory of 3280 2564 winver.exe ShellExperienceHost.exe PID 2564 wrote to memory of 3296 2564 winver.exe SearchUI.exe PID 2564 wrote to memory of 3508 2564 winver.exe RuntimeBroker.exe PID 2564 wrote to memory of 3784 2564 winver.exe DllHost.exe PID 2564 wrote to memory of 2876 2564 winver.exe DllHost.exe PID 2564 wrote to memory of 2720 2564 winver.exe PID 2564 wrote to memory of 3880 2564 winver.exe WerFault.exe PID 2564 wrote to memory of 3256 2564 winver.exe slui.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\671eff9c2d45ef1ae474c5580138aca9fd58251905f301808a4e30039fd21bf8.exe"C:\Users\Admin\AppData\Local\Temp\671eff9c2d45ef1ae474c5580138aca9fd58251905f301808a4e30039fd21bf8.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3784 -s 8482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2372-123-0x0000000000570000-0x0000000000576000-memory.dmpFilesize
24KB
-
memory/2392-124-0x0000000000480000-0x0000000000486000-memory.dmpFilesize
24KB
-
memory/2464-126-0x0000000000F00000-0x0000000000F06000-memory.dmpFilesize
24KB
-
memory/2564-118-0x00000000001F0000-0x00000000001F6000-memory.dmpFilesize
24KB
-
memory/2564-115-0x0000000000000000-mapping.dmp
-
memory/2876-128-0x00000000005C0000-0x00000000005C6000-memory.dmpFilesize
24KB
-
memory/3060-122-0x00007FFCFAD20000-0x00007FFCFAD21000-memory.dmpFilesize
4KB
-
memory/3060-121-0x00007FFCFAD30000-0x00007FFCFAD31000-memory.dmpFilesize
4KB
-
memory/3060-120-0x00007FFCFAD40000-0x00007FFCFAD41000-memory.dmpFilesize
4KB
-
memory/3060-119-0x0000000000430000-0x0000000000436000-memory.dmpFilesize
24KB
-
memory/3060-125-0x0000000000440000-0x0000000000446000-memory.dmpFilesize
24KB
-
memory/3256-130-0x00000000004A0000-0x00000000004A6000-memory.dmpFilesize
24KB
-
memory/3508-127-0x0000000000DE0000-0x0000000000DE6000-memory.dmpFilesize
24KB
-
memory/3736-117-0x0000000002510000-0x0000000002F10000-memory.dmpFilesize
10.0MB
-
memory/3736-114-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3736-116-0x0000000000420000-0x00000000004CE000-memory.dmpFilesize
696KB
-
memory/3880-129-0x0000000000EE0000-0x0000000000EE6000-memory.dmpFilesize
24KB