Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
14-05-2021 06:04
Static task
static1
Behavioral task
behavioral1
Sample
d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe
-
Size
3.7MB
-
MD5
73eb70ca5994df6e2766bb5b799f04ec
-
SHA1
dbccf45a2dd780ab31a13f2136f82c4f3a17906e
-
SHA256
d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c
-
SHA512
1346f92dc34801108ca10777fa7b9e3c134334eacc05c9a31052a9a0505787febd4a1beafb1bb46e5a87a433af33d3cd3f333cc72673149040127a1e6b148b14
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2460 created 512 2460 svchost.exe d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exepid process 512 d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe 512 d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exesvchost.exedescription pid process Token: SeDebugPrivilege 512 d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Token: SeImpersonatePrivilege 512 d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe Token: SeTcbPrivilege 2460 svchost.exe Token: SeTcbPrivilege 2460 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
svchost.exedescription pid process target process PID 2460 wrote to memory of 2704 2460 svchost.exe d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe PID 2460 wrote to memory of 2704 2460 svchost.exe d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe PID 2460 wrote to memory of 2704 2460 svchost.exe d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe"C:\Users\Admin\AppData\Local\Temp\d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe"C:\Users\Admin\AppData\Local\Temp\d9852b60eb015a9b4bd4f114321b8d7efd7a47b85d32ad21755e671c5bab5f2c.exe"2⤵
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2704-114-0x0000000000000000-mapping.dmp