Overview

overview

10

Static

static

Microsoft....NI.dll

windows11_x64

10

Microsoft....NI.dll

windows10_x64

3

Microsoft....NI.dll

windows11_x64

8

Microsoft....NI.dll

windows10_x64

1

TestConsoleApp.dll

windows11_x64

1

TestConsoleApp.dll

windows10_x64

1

TestConsoleApp.exe

windows11_x64

8

TestConsoleApp.exe

windows10_x64

1

Resubmissions

09-06-2022 12:32

220609-pqk42sgafn 8

22-10-2021 13:33

211022-qtlenabfg4 10

Analysis

  • max time kernel
    650s
  • max time network
    1579s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    22-10-2021 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TestConsoleApp.exe

  • Size

    18.2MB

  • MD5

    4aeb4fe28b6d716e649dbae4ae97c6af

  • SHA1

    7554105c37c957dda0dffee52bdfef126f0dd1f0

  • SHA256

    998e33e7aef697081a142af6497b4044765522c470cc67d57ed294a3c7e15637

  • SHA512

    51e46cc5b9932a888f6efa6d02acccd50ee0ea398c63cb00b3688feac86b6083123f3b4a94aad486149fe1f788882c57707af69eeaed08c3c2b5af329aac9909

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs
    persistence
  • Drops file in Windows directory 8 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TestConsoleApp.exe
    "C:\Users\Admin\AppData\Local\Temp\TestConsoleApp.exe"
    1⤵
      PID:3792
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 0405768fcba1e8acf5429a5b5118650c WlP3d/hbeUmgA56OpkSLRQ.0.1.0.3.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:3636
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
      1⤵
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
        C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
        2⤵
          PID:1888
        • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          2⤵
            PID:584
        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:3784
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe 0405768fcba1e8acf5429a5b5118650c WlP3d/hbeUmgA56OpkSLRQ.0.1.0.3.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:3352
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe 0405768fcba1e8acf5429a5b5118650c WlP3d/hbeUmgA56OpkSLRQ.0.1.0.3.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:796

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/584-152-0x0000000000000000-mapping.dmp
          Download
        • memory/1888-151-0x0000000000000000-mapping.dmp
          Download
        • memory/2864-146-0x000002B981420000-0x000002B981430000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2864-147-0x000002B9814A0000-0x000002B9814B0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2864-148-0x000002B983BA0000-0x000002B983BA4000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2864-149-0x000002B984BA0000-0x000002B984BA4000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2864-150-0x000002B9843B0000-0x000002B9843B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2864-153-0x000002B983BC0000-0x000002B983BC4000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2864-154-0x000002B983AE0000-0x000002B983AE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2864-156-0x000002B983AA0000-0x000002B983AA1000-memory.dmp
          Filesize

          4KB

          Download