Overview
overview
10Static
static
15179b743d...95.exe
windows7_x64
1015179b743d...95.exe
windows10_x64
104fa1176e4a...91.exe
windows7_x64
104fa1176e4a...91.exe
windows10_x64
10b51944f544...6a.exe
windows7_x64
10b51944f544...6a.exe
windows10_x64
10b91245cf0f...42.exe
windows7_x64
10b91245cf0f...42.exe
windows10_x64
8cd2eb403d5...71.exe
windows7_x64
10cd2eb403d5...71.exe
windows10_x64
10Analysis
-
max time kernel
147s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18-10-2021 09:25
Static task
static1
Behavioral task
behavioral1
Sample
15179b743d691ce6b078c2a2647269a8dbd4d89f1d15740282969e25c6cce495.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
15179b743d691ce6b078c2a2647269a8dbd4d89f1d15740282969e25c6cce495.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
4fa1176e4a82538dcb691fb8dbc210429f7b7ac6897ad9ef471f6e90bb29ee91.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
4fa1176e4a82538dcb691fb8dbc210429f7b7ac6897ad9ef471f6e90bb29ee91.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
b51944f54452b85a09eb4ed91f415bed8513faab405244f58e0b48c70d53406a.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
b51944f54452b85a09eb4ed91f415bed8513faab405244f58e0b48c70d53406a.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
b91245cf0fafad7150a5bc335335b2342f39bf920eb81ca8d6b890ebae737e42.exe
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
b91245cf0fafad7150a5bc335335b2342f39bf920eb81ca8d6b890ebae737e42.exe
Resource
win10-en-20210920
Behavioral task
behavioral9
Sample
cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe
Resource
win7-en-20211014
General
-
Target
cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe
-
Size
534KB
-
MD5
ad32f5c567edf16aba5dfedbd527084a
-
SHA1
9fbf7632af542f4e50b60d849518bb840544f1a6
-
SHA256
cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871
-
SHA512
20900fbd14dd4fb13ea7757fcebaf6cd130be1201f02320e7d70f203eb629eb2b983af121fe4f63719c25565490d140c10ad7ae382d7effca4e6ca9de6d8ef6e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WinSrv.exepid process 4020 WinSrv.exe -
Drops file in System32 directory 24 IoCs
Processes:
WinSrv.execd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25 WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19 WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\00E8B2222155EE2FA685572BF7181C12 WinSrv.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\GT4UB25K.cookie WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\PFTCWXWZ.cookie WinSrv.exe File created C:\Windows\SysWOW64\WinSrv.exe cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19 WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\00E8B2222155EE2FA685572BF7181C12 WinSrv.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\85IY7IKF.cookie WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\85IY7IKF.cookie WinSrv.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\PFTCWXWZ.cookie WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25 WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\GT4UB25K.cookie WinSrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 WinSrv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WinSrv.exedescription pid process target process PID 4020 set thread context of 4032 4020 WinSrv.exe svchost.exe -
Modifies data under HKEY_USERS 11 IoCs
Processes:
WinSrv.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" WinSrv.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix WinSrv.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" WinSrv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" WinSrv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" WinSrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WinSrv.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 WinSrv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache WinSrv.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" WinSrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WinSrv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" WinSrv.exe -
Processes:
WinSrv.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WinSrv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WinSrv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exeWinSrv.exesvchost.exepid process 3600 cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe 3600 cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe 4020 WinSrv.exe 4020 WinSrv.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4032 svchost.exe 4020 WinSrv.exe 4020 WinSrv.exe 4032 svchost.exe 4032 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WinSrv.execd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exedescription pid process target process PID 4020 wrote to memory of 4032 4020 WinSrv.exe svchost.exe PID 4020 wrote to memory of 4032 4020 WinSrv.exe svchost.exe PID 4020 wrote to memory of 4032 4020 WinSrv.exe svchost.exe PID 4020 wrote to memory of 4032 4020 WinSrv.exe svchost.exe PID 4020 wrote to memory of 4032 4020 WinSrv.exe svchost.exe PID 3600 wrote to memory of 60 3600 cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe cmd.exe PID 3600 wrote to memory of 60 3600 cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe cmd.exe PID 3600 wrote to memory of 60 3600 cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe"C:\Users\Admin\AppData\Local\Temp\cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del C:\Users\Admin\AppData\Local\Temp\cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe >> NUL2⤵
-
C:\Windows\SysWOW64\WinSrv.exeC:\Windows\SysWOW64\WinSrv.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\WinSrv.exeMD5
ad32f5c567edf16aba5dfedbd527084a
SHA19fbf7632af542f4e50b60d849518bb840544f1a6
SHA256cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871
SHA51220900fbd14dd4fb13ea7757fcebaf6cd130be1201f02320e7d70f203eb629eb2b983af121fe4f63719c25565490d140c10ad7ae382d7effca4e6ca9de6d8ef6e
-
C:\Windows\SysWOW64\WinSrv.exeMD5
ad32f5c567edf16aba5dfedbd527084a
SHA19fbf7632af542f4e50b60d849518bb840544f1a6
SHA256cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871
SHA51220900fbd14dd4fb13ea7757fcebaf6cd130be1201f02320e7d70f203eb629eb2b983af121fe4f63719c25565490d140c10ad7ae382d7effca4e6ca9de6d8ef6e
-
memory/60-123-0x0000000000000000-mapping.dmp
-
memory/3600-116-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/3600-115-0x0000000000520000-0x00000000005CE000-memory.dmpFilesize
696KB
-
memory/4020-120-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/4020-119-0x0000000000490000-0x000000000053E000-memory.dmpFilesize
696KB
-
memory/4032-121-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4032-122-0x000000000040178D-mapping.dmp
-
memory/4032-124-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/4032-125-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB