Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-05-2021 13:19
Static task
static1
Behavioral task
behavioral1
Sample
38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe
Resource
win10v20210408
General
-
Target
38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe
-
Size
69KB
-
MD5
4e9fcd33f8ae7d02858946f86ce0a520
-
SHA1
9269c7fc51b6c424f7f81c9f9a9c5b0a96aab183
-
SHA256
38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a
-
SHA512
4723a380921184bdbd51ac677fab270c742a65baf60cba7b5e1e845254915cf32d40e37ea796a76193a12607e0f1957e5c29c2c3371f0f834cb1504a4cfaa7ba
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winver.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run winver.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\E01060EF = "C:\\Users\\Admin\\AppData\\Roaming\\E01060EF\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe 2036 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
winver.exeExplorer.EXEpid process 2036 winver.exe 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exewinver.exedescription pid process target process PID 368 wrote to memory of 2036 368 38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe winver.exe PID 368 wrote to memory of 2036 368 38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe winver.exe PID 368 wrote to memory of 2036 368 38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe winver.exe PID 368 wrote to memory of 2036 368 38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe winver.exe PID 368 wrote to memory of 2036 368 38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe winver.exe PID 2036 wrote to memory of 1244 2036 winver.exe Explorer.EXE PID 2036 wrote to memory of 1128 2036 winver.exe taskhost.exe PID 2036 wrote to memory of 1180 2036 winver.exe Dwm.exe PID 2036 wrote to memory of 1244 2036 winver.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe"C:\Users\Admin\AppData\Local\Temp\38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/368-63-0x0000000002150000-0x0000000002B50000-memory.dmpFilesize
10.0MB
-
memory/368-62-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/368-59-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1128-68-0x0000000001B00000-0x0000000001B06000-memory.dmpFilesize
24KB
-
memory/1180-69-0x0000000000340000-0x0000000000346000-memory.dmpFilesize
24KB
-
memory/1244-73-0x0000000077710000-0x0000000077711000-memory.dmpFilesize
4KB
-
memory/1244-71-0x0000000077730000-0x0000000077731000-memory.dmpFilesize
4KB
-
memory/1244-66-0x0000000002B60000-0x0000000002B66000-memory.dmpFilesize
24KB
-
memory/1244-72-0x0000000077720000-0x0000000077721000-memory.dmpFilesize
4KB
-
memory/1244-70-0x0000000002B70000-0x0000000002B76000-memory.dmpFilesize
24KB
-
memory/2036-65-0x00000000000D0000-0x00000000000D6000-memory.dmpFilesize
24KB
-
memory/2036-67-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2036-60-0x0000000000000000-mapping.dmp
-
memory/2036-64-0x0000000000A50000-0x0000000000A66000-memory.dmpFilesize
88KB
-
memory/2036-61-0x0000000076661000-0x0000000076663000-memory.dmpFilesize
8KB