Analysis
-
max time kernel
165s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15-02-2022 12:33
General
-
Target
mavens[1].exe
-
Size
3.5MB
-
MD5
3c7b73307754a88b0cab311b436b60a6
-
SHA1
44e620b74b4c8df6d66fc2def07f3cea73eb8421
-
SHA256
83895bba41d8a8e50a72830c47b24a59fa59b9a9a519417208e688b174e468d1
-
SHA512
13c57ecc348354c19dc6833da13c44a5b72b7f7db801ac2d6ea3ddd8410bc50a3daefd763840c22305dfd599f5d458f5addc93fc6530a7e481b531dec5b78781
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 36 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\mavens[1].exe"C:\Users\Admin\AppData\Local\Temp\mavens[1].exe"1⤵
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2364 -s 45202⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2364 -s 45202⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 432 -p 2364 -ip 23641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
3c7b73307754a88b0cab311b436b60a6
SHA144e620b74b4c8df6d66fc2def07f3cea73eb8421
SHA25683895bba41d8a8e50a72830c47b24a59fa59b9a9a519417208e688b174e468d1
SHA51213c57ecc348354c19dc6833da13c44a5b72b7f7db801ac2d6ea3ddd8410bc50a3daefd763840c22305dfd599f5d458f5addc93fc6530a7e481b531dec5b78781
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
3c7b73307754a88b0cab311b436b60a6
SHA144e620b74b4c8df6d66fc2def07f3cea73eb8421
SHA25683895bba41d8a8e50a72830c47b24a59fa59b9a9a519417208e688b174e468d1
SHA51213c57ecc348354c19dc6833da13c44a5b72b7f7db801ac2d6ea3ddd8410bc50a3daefd763840c22305dfd599f5d458f5addc93fc6530a7e481b531dec5b78781
-
memory/1780-130-0x00007FF92E410000-0x00007FF92E412000-memory.dmpFilesize
8KB
-
memory/1780-131-0x00007FF749030000-0x00007FF7499AA000-memory.dmpFilesize
9.5MB
-
memory/1780-132-0x00007FF749030000-0x00007FF7499AA000-memory.dmpFilesize
9.5MB
-
memory/1780-133-0x00007FF749030000-0x00007FF7499AA000-memory.dmpFilesize
9.5MB
-
memory/1900-136-0x00007FF62A4C0000-0x00007FF62AE3A000-memory.dmpFilesize
9.5MB
-
memory/1900-137-0x00007FF62A4C0000-0x00007FF62AE3A000-memory.dmpFilesize
9.5MB
-
memory/1900-138-0x00007FF62A4C0000-0x00007FF62AE3A000-memory.dmpFilesize
9.5MB