Overview
overview
10Static
static
Microsoft....NI.dll
windows11_x64
10Microsoft....NI.dll
windows10_x64
3Microsoft....NI.dll
windows11_x64
8Microsoft....NI.dll
windows10_x64
1TestConsoleApp.dll
windows11_x64
1TestConsoleApp.dll
windows10_x64
1TestConsoleApp.exe
windows11_x64
8TestConsoleApp.exe
windows10_x64
1Analysis
-
max time kernel
650s -
max time network
1579s -
platform
windows11_x64 -
resource
win11 -
submitted
22-10-2021 13:33
Static task
static1
Behavioral task
behavioral1
Sample
Microsoft.Data.SqlClient.SNI.dll
Resource
win11
Behavioral task
behavioral2
Sample
Microsoft.Data.SqlClient.SNI.dll
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Microsoft.Data.SqlClient1.SNI.dll
Resource
win11
Behavioral task
behavioral4
Sample
Microsoft.Data.SqlClient1.SNI.dll
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
TestConsoleApp.dll
Resource
win11
Behavioral task
behavioral6
Sample
TestConsoleApp.dll
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
TestConsoleApp.exe
Resource
win11
Behavioral task
behavioral8
Sample
TestConsoleApp.exe
Resource
win10-en-20211014
General
-
Target
TestConsoleApp.exe
-
Size
18.2MB
-
MD5
4aeb4fe28b6d716e649dbae4ae97c6af
-
SHA1
7554105c37c957dda0dffee52bdfef126f0dd1f0
-
SHA256
998e33e7aef697081a142af6497b4044765522c470cc67d57ed294a3c7e15637
-
SHA512
51e46cc5b9932a888f6efa6d02acccd50ee0ea398c63cb00b3688feac86b6083123f3b4a94aad486149fe1f788882c57707af69eeaed08c3c2b5af329aac9909
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs
-
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exesvchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2864 svchost.exe Token: SeCreatePagefilePrivilege 2864 svchost.exe Token: SeShutdownPrivilege 2864 svchost.exe Token: SeCreatePagefilePrivilege 2864 svchost.exe Token: SeShutdownPrivilege 2864 svchost.exe Token: SeCreatePagefilePrivilege 2864 svchost.exe Token: SeShutdownPrivilege 1540 svchost.exe Token: SeCreatePagefilePrivilege 1540 svchost.exe Token: SeShutdownPrivilege 2864 svchost.exe Token: SeCreatePagefilePrivilege 2864 svchost.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe Token: SeBackupPrivilege 3784 TiWorker.exe Token: SeRestorePrivilege 3784 TiWorker.exe Token: SeSecurityPrivilege 3784 TiWorker.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
svchost.exedescription pid process target process PID 1540 wrote to memory of 1888 1540 svchost.exe MoUsoCoreWorker.exe PID 1540 wrote to memory of 1888 1540 svchost.exe MoUsoCoreWorker.exe PID 1540 wrote to memory of 584 1540 svchost.exe MoUsoCoreWorker.exe PID 1540 wrote to memory of 584 1540 svchost.exe MoUsoCoreWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TestConsoleApp.exe"C:\Users\Admin\AppData\Local\Temp\TestConsoleApp.exe"1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 0405768fcba1e8acf5429a5b5118650c WlP3d/hbeUmgA56OpkSLRQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 0405768fcba1e8acf5429a5b5118650c WlP3d/hbeUmgA56OpkSLRQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 0405768fcba1e8acf5429a5b5118650c WlP3d/hbeUmgA56OpkSLRQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/584-152-0x0000000000000000-mapping.dmp
-
memory/1888-151-0x0000000000000000-mapping.dmp
-
memory/2864-146-0x000002B981420000-0x000002B981430000-memory.dmpFilesize
64KB
-
memory/2864-147-0x000002B9814A0000-0x000002B9814B0000-memory.dmpFilesize
64KB
-
memory/2864-148-0x000002B983BA0000-0x000002B983BA4000-memory.dmpFilesize
16KB
-
memory/2864-149-0x000002B984BA0000-0x000002B984BA4000-memory.dmpFilesize
16KB
-
memory/2864-150-0x000002B9843B0000-0x000002B9843B1000-memory.dmpFilesize
4KB
-
memory/2864-153-0x000002B983BC0000-0x000002B983BC4000-memory.dmpFilesize
16KB
-
memory/2864-154-0x000002B983AE0000-0x000002B983AE1000-memory.dmpFilesize
4KB
-
memory/2864-156-0x000002B983AA0000-0x000002B983AA1000-memory.dmpFilesize
4KB