Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 21:48
Static task
static1
Behavioral task
behavioral1
Sample
ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Resource
win10v2004-20220414-en
General
-
Target
ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
-
Size
25KB
-
MD5
b6974c625e2a8c07e6202090a0062497
-
SHA1
778ce55ed26bd5f9d20d0c29b5d2dc196466de49
-
SHA256
ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0
-
SHA512
56d8549176aa1d3efd8f3c0a3927b2c76e5075eb036988b2bb58cc43357eca442439b5fa3bcd07de23c348e2d55412b11bcee2ebf7a67fd0ab698e5d75ebb95b
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Server.exeServer.exepid process 4292 Server.exe 3188 Server.exe -
Drops startup file 2 IoCs
Processes:
ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe\" .." ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe\" .." ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{61441739-2C61-4F47-9BA2-A1C0100075C1}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{107B7D9B-B7E0-4337-9A26-242310909DF9}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exepid process 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exedescription pid process Token: SeDebugPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: 33 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe Token: SeIncBasePriorityPrivilege 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exedescription pid process target process PID 432 wrote to memory of 4612 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe schtasks.exe PID 432 wrote to memory of 4612 432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe"C:\Users\Admin\AppData\Local\Temp\ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Server.exe.logFilesize
1KB
MD5a8a147915e3a996fdbe10b3a3f1e1bb2
SHA1abc564c1be468d57e700913e7b6cf8f62d421263
SHA2568b96a8557deea66696837af011843d6a82451ba57c8f9b5a2726a70818d6fc7e
SHA51217b42f17ef60a9f625703172763f692e5ed2ca93564a97853dfa72bb0ac6305ef3267aea0b205938e3aa8eac10156d9d4f322b30d0329d92d647bcec6372731c
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5b6974c625e2a8c07e6202090a0062497
SHA1778ce55ed26bd5f9d20d0c29b5d2dc196466de49
SHA256ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0
SHA51256d8549176aa1d3efd8f3c0a3927b2c76e5075eb036988b2bb58cc43357eca442439b5fa3bcd07de23c348e2d55412b11bcee2ebf7a67fd0ab698e5d75ebb95b
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5b6974c625e2a8c07e6202090a0062497
SHA1778ce55ed26bd5f9d20d0c29b5d2dc196466de49
SHA256ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0
SHA51256d8549176aa1d3efd8f3c0a3927b2c76e5075eb036988b2bb58cc43357eca442439b5fa3bcd07de23c348e2d55412b11bcee2ebf7a67fd0ab698e5d75ebb95b
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5b6974c625e2a8c07e6202090a0062497
SHA1778ce55ed26bd5f9d20d0c29b5d2dc196466de49
SHA256ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0
SHA51256d8549176aa1d3efd8f3c0a3927b2c76e5075eb036988b2bb58cc43357eca442439b5fa3bcd07de23c348e2d55412b11bcee2ebf7a67fd0ab698e5d75ebb95b
-
memory/432-130-0x0000000000050000-0x0000000000058000-memory.dmpFilesize
32KB
-
memory/432-131-0x00007FFEA4C50000-0x00007FFEA5711000-memory.dmpFilesize
10.8MB
-
memory/3188-138-0x00007FFEA4C50000-0x00007FFEA5711000-memory.dmpFilesize
10.8MB
-
memory/4292-135-0x00007FFEA4C50000-0x00007FFEA5711000-memory.dmpFilesize
10.8MB
-
memory/4612-132-0x0000000000000000-mapping.dmp