Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
13-11-2021 21:40
Static task
static1
Behavioral task
behavioral1
Sample
f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe
Resource
win10-en-20211014
General
-
Target
f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe
-
Size
245KB
-
MD5
0ed76cd7cb14cc30d04802a750bcad22
-
SHA1
ed719729d7025b6d16399c88a7334fdd58b0d603
-
SHA256
f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1
-
SHA512
89452af762b13227bd835a50d8e5d55a0760889699fae5bb7da67fba1b4fa16207c9e395230cb2f3b135266c3dfac98f45bb8df3b8f9391d55696f8f13e64ea6
Malware Config
Signatures
-
VKeylogger
A keylogger first seen in Nov 2020.
-
VKeylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/864-115-0x00000000005C0000-0x00000000005CF000-memory.dmp family_vkeylogger behavioral1/memory/864-121-0x00000000005C3500-mapping.dmp family_vkeylogger behavioral1/memory/1424-123-0x0000000000750000-0x000000000075F000-memory.dmp family_vkeylogger -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
440.exeMicrosoftAsistence.exesvchost.exesvchost.exepid process 2368 440.exe 3168 MicrosoftAsistence.exe 3720 svchost.exe 1956 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
440.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation 440.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\gr5wd = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtrhy = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exeRegSvcs.exedescription pid process target process PID 3220 set thread context of 864 3220 f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe RegSvcs.exe PID 864 set thread context of 1424 864 RegSvcs.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3800 3168 WerFault.exe MicrosoftAsistence.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
440.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 440.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
RegSvcs.exeexplorer.exepid process 864 RegSvcs.exe 1424 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3800 WerFault.exe Token: SeBackupPrivilege 3800 WerFault.exe Token: SeDebugPrivilege 3800 WerFault.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
explorer.exepid process 1424 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 1424 explorer.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exeRegSvcs.exeexplorer.exe440.exeMicrosoftAsistence.execmd.exedescription pid process target process PID 3220 wrote to memory of 864 3220 f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe RegSvcs.exe PID 3220 wrote to memory of 864 3220 f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe RegSvcs.exe PID 3220 wrote to memory of 864 3220 f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe RegSvcs.exe PID 3220 wrote to memory of 864 3220 f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe RegSvcs.exe PID 3220 wrote to memory of 864 3220 f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe RegSvcs.exe PID 864 wrote to memory of 1424 864 RegSvcs.exe explorer.exe PID 864 wrote to memory of 1424 864 RegSvcs.exe explorer.exe PID 864 wrote to memory of 1424 864 RegSvcs.exe explorer.exe PID 1424 wrote to memory of 2368 1424 explorer.exe 440.exe PID 1424 wrote to memory of 2368 1424 explorer.exe 440.exe PID 1424 wrote to memory of 2368 1424 explorer.exe 440.exe PID 2368 wrote to memory of 3168 2368 440.exe MicrosoftAsistence.exe PID 2368 wrote to memory of 3168 2368 440.exe MicrosoftAsistence.exe PID 2368 wrote to memory of 3168 2368 440.exe MicrosoftAsistence.exe PID 3168 wrote to memory of 896 3168 MicrosoftAsistence.exe cmd.exe PID 3168 wrote to memory of 896 3168 MicrosoftAsistence.exe cmd.exe PID 3168 wrote to memory of 896 3168 MicrosoftAsistence.exe cmd.exe PID 896 wrote to memory of 1344 896 cmd.exe schtasks.exe PID 896 wrote to memory of 1344 896 cmd.exe schtasks.exe PID 896 wrote to memory of 1344 896 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe"C:\Users\Admin\AppData\Local\Temp\f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\440.exe"C:\Users\Admin\AppData\Local\Temp\440.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftAsistence.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftAsistence.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /tn \svchost /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \svchost /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 6726⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\440.exeMD5
557f326debaaf3a7e8523a2efcd68032
SHA13bff709e3a76d9ba5e10550a417cb6dce9e760cd
SHA256253475cc935af014ede78d7c0b899d560015c6fa820bc5cae78203afc2eebe98
SHA5125f1f7ff5e984157b68d6feb8adff5a9846392df5e7c41af90d5bf5aed7dcb9832d3b03d91f53fcadea48c6c125d3b6663f9f133634208e58a14afe5a64f074a5
-
C:\Users\Admin\AppData\Local\Temp\440.exeMD5
557f326debaaf3a7e8523a2efcd68032
SHA13bff709e3a76d9ba5e10550a417cb6dce9e760cd
SHA256253475cc935af014ede78d7c0b899d560015c6fa820bc5cae78203afc2eebe98
SHA5125f1f7ff5e984157b68d6feb8adff5a9846392df5e7c41af90d5bf5aed7dcb9832d3b03d91f53fcadea48c6c125d3b6663f9f133634208e58a14afe5a64f074a5
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftAsistence.exeMD5
84ffcd2e4a61db6acba49632fd32985b
SHA12cb20cd9c48b9af6a6a064ca467c866d933ad56f
SHA2565e0450a533e221adf0344db11561fbe2349220369e79a325e33e06d914cfb8d2
SHA5121a9ec55bb3c5d3a9eddfdb6444f1266a02d5f8eed09025b39bfe48790c6492b1fd9d8be52af4814c22d1ac08a15ac93af0e280af9cb1bc12f1e3a6e3dadce875
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftAsistence.exeMD5
84ffcd2e4a61db6acba49632fd32985b
SHA12cb20cd9c48b9af6a6a064ca467c866d933ad56f
SHA2565e0450a533e221adf0344db11561fbe2349220369e79a325e33e06d914cfb8d2
SHA5121a9ec55bb3c5d3a9eddfdb6444f1266a02d5f8eed09025b39bfe48790c6492b1fd9d8be52af4814c22d1ac08a15ac93af0e280af9cb1bc12f1e3a6e3dadce875
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exeMD5
84ffcd2e4a61db6acba49632fd32985b
SHA12cb20cd9c48b9af6a6a064ca467c866d933ad56f
SHA2565e0450a533e221adf0344db11561fbe2349220369e79a325e33e06d914cfb8d2
SHA5121a9ec55bb3c5d3a9eddfdb6444f1266a02d5f8eed09025b39bfe48790c6492b1fd9d8be52af4814c22d1ac08a15ac93af0e280af9cb1bc12f1e3a6e3dadce875
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exeMD5
84ffcd2e4a61db6acba49632fd32985b
SHA12cb20cd9c48b9af6a6a064ca467c866d933ad56f
SHA2565e0450a533e221adf0344db11561fbe2349220369e79a325e33e06d914cfb8d2
SHA5121a9ec55bb3c5d3a9eddfdb6444f1266a02d5f8eed09025b39bfe48790c6492b1fd9d8be52af4814c22d1ac08a15ac93af0e280af9cb1bc12f1e3a6e3dadce875
-
memory/864-121-0x00000000005C3500-mapping.dmp
-
memory/864-115-0x00000000005C0000-0x00000000005CF000-memory.dmpFilesize
60KB
-
memory/896-132-0x0000000000000000-mapping.dmp
-
memory/1344-133-0x0000000000000000-mapping.dmp
-
memory/1424-122-0x0000000000752E90-mapping.dmp
-
memory/1424-123-0x0000000000750000-0x000000000075F000-memory.dmpFilesize
60KB
-
memory/2368-124-0x0000000000000000-mapping.dmp
-
memory/2368-127-0x0000000000F80000-0x0000000000F95000-memory.dmpFilesize
84KB
-
memory/2368-128-0x0000000001080000-0x00000000010A6000-memory.dmpFilesize
152KB
-
memory/3168-129-0x0000000000000000-mapping.dmp