Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 21:26
Static task
static1
Behavioral task
behavioral1
Sample
e-transfer.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
e-transfer.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
e-transfer.exe
-
Size
300.0MB
-
MD5
affebb601f181b9c290753caae06050a
-
SHA1
64942ee5d84b1a2262d02a1dd0ae1aa6e8b66486
-
SHA256
e2ce88575e964545d834e0bae841ec554b02fa4a290e645e19cb7556123bb49e
-
SHA512
3870beafddb9972863a2b0d74eeded9bd21eb3b8c13563808754927ce3a29579adad56e7eb3bc37b4777cb16caea0d9d5d233b01432aa42fe0c5ecafc3c025b2
Score
8/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1512-122-0x0000000000910000-0x0000000000CF4000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e-transfer.exedescription pid process target process PID 2664 set thread context of 1512 2664 e-transfer.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1348 1512 WerFault.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
e-transfer.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2664 e-transfer.exe Token: SeRestorePrivilege 1348 WerFault.exe Token: SeBackupPrivilege 1348 WerFault.exe Token: SeDebugPrivilege 1348 WerFault.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
e-transfer.execmd.exedescription pid process target process PID 2664 wrote to memory of 1512 2664 e-transfer.exe RegAsm.exe PID 2664 wrote to memory of 1512 2664 e-transfer.exe RegAsm.exe PID 2664 wrote to memory of 1512 2664 e-transfer.exe RegAsm.exe PID 2664 wrote to memory of 1512 2664 e-transfer.exe RegAsm.exe PID 2664 wrote to memory of 1512 2664 e-transfer.exe RegAsm.exe PID 2664 wrote to memory of 1512 2664 e-transfer.exe RegAsm.exe PID 2664 wrote to memory of 1512 2664 e-transfer.exe RegAsm.exe PID 2664 wrote to memory of 3796 2664 e-transfer.exe cmd.exe PID 2664 wrote to memory of 3796 2664 e-transfer.exe cmd.exe PID 2664 wrote to memory of 3796 2664 e-transfer.exe cmd.exe PID 2664 wrote to memory of 1216 2664 e-transfer.exe cmd.exe PID 2664 wrote to memory of 1216 2664 e-transfer.exe cmd.exe PID 2664 wrote to memory of 1216 2664 e-transfer.exe cmd.exe PID 2664 wrote to memory of 896 2664 e-transfer.exe cmd.exe PID 2664 wrote to memory of 896 2664 e-transfer.exe cmd.exe PID 2664 wrote to memory of 896 2664 e-transfer.exe cmd.exe PID 1216 wrote to memory of 1292 1216 cmd.exe schtasks.exe PID 1216 wrote to memory of 1292 1216 cmd.exe schtasks.exe PID 1216 wrote to memory of 1292 1216 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e-transfer.exe"C:\Users\Admin\AppData\Local\Temp\e-transfer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 5683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\YAKBITT"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\YAKBITT\YAKBITT.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\YAKBITT\YAKBITT.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\e-transfer.exe" "C:\Users\Admin\AppData\Roaming\YAKBITT\YAKBITT.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1512-122-0x0000000000910000-0x0000000000CF4000-memory.dmpFilesize
3.9MB
-
memory/2664-115-0x0000000000E50000-0x0000000001060000-memory.dmpFilesize
2.1MB
-
memory/2664-116-0x00000000052F0000-0x0000000005356000-memory.dmpFilesize
408KB
-
memory/2664-117-0x00000000058A0000-0x0000000005D9E000-memory.dmpFilesize
5.0MB
-
memory/2664-118-0x0000000005440000-0x00000000054D2000-memory.dmpFilesize
584KB
-
memory/2664-119-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/2664-120-0x00000000053E0000-0x00000000053EA000-memory.dmpFilesize
40KB