Overview

overview

10

Static

static

Materials.exe

windows7_x64

10

Materials.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    21-02-2022 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Materials.exe

  • Size

    357KB

  • MD5

    8bd9a34cf06fa228b4ccd401808723cc

  • SHA1

    e17daeaf2e0dcfdbaf026866c00fefb0beb47520

  • SHA256

    38f3aadc65df16aed9f5bbaa5f42598d3fd9b29811429fcddd679a40b092fca0

  • SHA512

    3d3ac1d0d90125fba07ca8a6fe0bb75a95b47b1caf177854b9e476aede2cefe396c68bb68c7dde0e32b22a740708aa3f23dd3726f3789504b83fd0b195c0479e

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Materials.exe
    "C:\Users\Admin\AppData\Local\Temp\Materials.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:4648
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:4592
        • C:\Users\Admin\AppData\Local\Temp\Materials.exe
          "C:\Users\Admin\AppData\Local\Temp\Materials.exe"
          2⤵
            PID:4444
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 24
              3⤵
              • Program crash
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1564
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4444 -ip 4444
          1⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Suspicious use of WriteProcessMemory
          PID:4764
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:4952

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1836-133-0x000000000054D000-0x0000000000550000-memory.dmp
          Filesize

          12KB

          Download
        • memory/4952-134-0x0000021EE6560000-0x0000021EE6570000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4952-135-0x0000021EE6B20000-0x0000021EE6B30000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4952-136-0x0000021EE9190000-0x0000021EE9194000-memory.dmp
          Filesize

          16KB

          Download