Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-05-2021 13:19
Static task
static1
Behavioral task
behavioral1
Sample
38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe
Resource
win10v20210408
General
-
Target
38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe
-
Size
69KB
-
MD5
4e9fcd33f8ae7d02858946f86ce0a520
-
SHA1
9269c7fc51b6c424f7f81c9f9a9c5b0a96aab183
-
SHA256
38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a
-
SHA512
4723a380921184bdbd51ac677fab270c742a65baf60cba7b5e1e845254915cf32d40e37ea796a76193a12607e0f1957e5c29c2c3371f0f834cb1504a4cfaa7ba
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winver.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run winver.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\95523A16 = "C:\\Users\\Admin\\AppData\\Roaming\\95523A16\\bin.exe" winver.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 684 3744 WerFault.exe DllHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exeWerFault.exepid process 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 684 WerFault.exe 684 WerFault.exe 684 WerFault.exe 684 WerFault.exe 684 WerFault.exe 684 WerFault.exe 684 WerFault.exe 684 WerFault.exe 684 WerFault.exe 684 WerFault.exe 684 WerFault.exe 684 WerFault.exe 684 WerFault.exe 684 WerFault.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe 3024 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2568 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
WerFault.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 684 WerFault.exe Token: SeShutdownPrivilege 2568 Explorer.EXE Token: SeCreatePagefilePrivilege 2568 Explorer.EXE Token: SeShutdownPrivilege 2568 Explorer.EXE Token: SeCreatePagefilePrivilege 2568 Explorer.EXE Token: SeShutdownPrivilege 2568 Explorer.EXE Token: SeCreatePagefilePrivilege 2568 Explorer.EXE Token: SeShutdownPrivilege 2568 Explorer.EXE Token: SeCreatePagefilePrivilege 2568 Explorer.EXE Token: SeShutdownPrivilege 2568 Explorer.EXE Token: SeCreatePagefilePrivilege 2568 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 3024 winver.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2568 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exewinver.exedescription pid process target process PID 900 wrote to memory of 3024 900 38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe winver.exe PID 900 wrote to memory of 3024 900 38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe winver.exe PID 900 wrote to memory of 3024 900 38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe winver.exe PID 900 wrote to memory of 3024 900 38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe winver.exe PID 3024 wrote to memory of 2568 3024 winver.exe Explorer.EXE PID 3024 wrote to memory of 2336 3024 winver.exe sihost.exe PID 3024 wrote to memory of 2356 3024 winver.exe svchost.exe PID 3024 wrote to memory of 2460 3024 winver.exe taskhostw.exe PID 3024 wrote to memory of 2568 3024 winver.exe Explorer.EXE PID 3024 wrote to memory of 3248 3024 winver.exe ShellExperienceHost.exe PID 3024 wrote to memory of 3256 3024 winver.exe SearchUI.exe PID 3024 wrote to memory of 3484 3024 winver.exe RuntimeBroker.exe PID 3024 wrote to memory of 3744 3024 winver.exe DllHost.exe PID 3024 wrote to memory of 1144 3024 winver.exe PID 3024 wrote to memory of 684 3024 winver.exe WerFault.exe PID 3024 wrote to memory of 2328 3024 winver.exe slui.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe"C:\Users\Admin\AppData\Local\Temp\38d16e18bf59b0e170405b2fde743a6f9e57d37cee774458036aae92619d221a.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3744 -s 8362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/684-127-0x00007FFBBC470000-0x00007FFBBC471000-memory.dmpFilesize
4KB
-
memory/684-125-0x0000000000CE0000-0x0000000000CE6000-memory.dmpFilesize
24KB
-
memory/684-126-0x00007FFBBC480000-0x00007FFBBC481000-memory.dmpFilesize
4KB
-
memory/900-114-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/900-116-0x0000000000420000-0x00000000004CE000-memory.dmpFilesize
696KB
-
memory/900-117-0x0000000002660000-0x0000000003060000-memory.dmpFilesize
10.0MB
-
memory/2328-129-0x00000000003A0000-0x00000000003A6000-memory.dmpFilesize
24KB
-
memory/2336-121-0x0000000000F00000-0x0000000000F06000-memory.dmpFilesize
24KB
-
memory/2356-122-0x0000000000AF0000-0x0000000000AF6000-memory.dmpFilesize
24KB
-
memory/2460-123-0x00000000004A0000-0x00000000004A6000-memory.dmpFilesize
24KB
-
memory/2568-120-0x0000000000CE0000-0x0000000000CE6000-memory.dmpFilesize
24KB
-
memory/2568-119-0x0000000000CD0000-0x0000000000CD6000-memory.dmpFilesize
24KB
-
memory/2568-128-0x00007FFBBC490000-0x00007FFBBC491000-memory.dmpFilesize
4KB
-
memory/3024-118-0x00000000025C0000-0x000000000270A000-memory.dmpFilesize
1.3MB
-
memory/3024-115-0x0000000000000000-mapping.dmp
-
memory/3484-124-0x00000000000D0000-0x00000000000D6000-memory.dmpFilesize
24KB