Analysis
-
max time kernel
91s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 16:14
Static task
static1
Behavioral task
behavioral1
Sample
23s.exe
Resource
win7-20220414-en
General
-
Target
23s.exe
-
Size
71KB
-
MD5
e79d48bc650a2e1bd36d73f438826b8d
-
SHA1
191e1644ca6b40fd8469d8013e4f931ac9877c18
-
SHA256
5f3916cde8f3852fc370be7442e668f31a0d676f2ae912f88042481f972cc26a
-
SHA512
7451442c8ff56ce0124efe429afbba480c71e56247f5cbebe83a0aa7107e9e3c3f68e891dfa928d1fc47be8c5fd715f59ebd252cf4d3d06f1eb471f6d422948d
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1256 created 444 1256 svchost.exe svchost.exe -
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
Processes:
resource yara_rule behavioral2/memory/444-147-0x000002ED1BE00000-0x000002ED1BF6E000-memory.dmp mimikatz -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4804 444 WerFault.exe svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
notepad.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad notepad.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad\fWindowsOnlyEOL = "0" notepad.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad\fPasteOriginalEOL = "0" notepad.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad\fReverse = "0" notepad.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad\fWrapAround = "0" notepad.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad\fMatchCase = "0" notepad.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
svchost.exenotepad.exepid process 444 svchost.exe 444 svchost.exe 1968 notepad.exe 444 svchost.exe 444 svchost.exe 444 svchost.exe 444 svchost.exe 444 svchost.exe 444 svchost.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
svchost.exesvchost.exenotepad.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 444 svchost.exe Token: SeAuditPrivilege 444 svchost.exe Token: SeBackupPrivilege 444 svchost.exe Token: SeChangeNotifyPrivilege 444 svchost.exe Token: SeCreateGlobalPrivilege 444 svchost.exe Token: SeCreatePagefilePrivilege 444 svchost.exe Token: SeCreatePermanentPrivilege 444 svchost.exe Token: 35 444 svchost.exe Token: SeCreateTokenPrivilege 444 svchost.exe Token: SeDebugPrivilege 444 svchost.exe Token: SeEnableDelegationPrivilege 444 svchost.exe Token: SeImpersonatePrivilege 444 svchost.exe Token: SeIncBasePriorityPrivilege 444 svchost.exe Token: SeIncreaseQuotaPrivilege 444 svchost.exe Token: 33 444 svchost.exe Token: SeLoadDriverPrivilege 444 svchost.exe Token: SeLockMemoryPrivilege 444 svchost.exe Token: SeMachineAccountPrivilege 444 svchost.exe Token: SeManageVolumePrivilege 444 svchost.exe Token: SeProfSingleProcessPrivilege 444 svchost.exe Token: 32 444 svchost.exe Token: SeRemoteShutdownPrivilege 444 svchost.exe Token: SeRestorePrivilege 444 svchost.exe Token: SeSecurityPrivilege 444 svchost.exe Token: SeShutdownPrivilege 444 svchost.exe Token: SeSyncAgentPrivilege 444 svchost.exe Token: SeSystemEnvironmentPrivilege 444 svchost.exe Token: SeSystemProfilePrivilege 444 svchost.exe Token: SeSystemtimePrivilege 444 svchost.exe Token: SeTakeOwnershipPrivilege 444 svchost.exe Token: SeTcbPrivilege 444 svchost.exe Token: 34 444 svchost.exe Token: 31 444 svchost.exe Token: SeUndockPrivilege 444 svchost.exe Token: 0 444 svchost.exe Token: SeDebugPrivilege 444 svchost.exe Token: SeTcbPrivilege 1256 svchost.exe Token: SeTcbPrivilege 1256 svchost.exe Token: SeDebugPrivilege 1968 notepad.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
23s.exesvchost.exesvchost.exedescription pid process target process PID 3816 wrote to memory of 444 3816 23s.exe svchost.exe PID 3816 wrote to memory of 444 3816 23s.exe svchost.exe PID 3816 wrote to memory of 444 3816 23s.exe svchost.exe PID 1256 wrote to memory of 1968 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1968 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1968 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1968 1256 svchost.exe notepad.exe PID 1256 wrote to memory of 1968 1256 svchost.exe notepad.exe PID 444 wrote to memory of 1968 444 svchost.exe notepad.exe PID 444 wrote to memory of 1968 444 svchost.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23s.exe"C:\Users\Admin\AppData\Local\Temp\23s.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\svchost.exesvchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\notepad.exenotepad.exe3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 444 -s 8723⤵
- Program crash
-
C:\Windows\system32\cmd.execmd.exe /c echo yeajfg > \\.\pipe\yeajfg1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 444 -ip 4441⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/444-145-0x000002ED19C9B000-0x000002ED19CBC000-memory.dmpFilesize
132KB
-
memory/444-143-0x000002ED1BC02000-0x000002ED1BC5B000-memory.dmpFilesize
356KB
-
memory/444-149-0x000002ED19ED0000-0x000002ED19F0B000-memory.dmpFilesize
236KB
-
memory/444-133-0x000002ED1BA30000-0x000002ED1BA8F000-memory.dmpFilesize
380KB
-
memory/444-134-0x000002ED19C9B000-0x000002ED19CBC000-memory.dmpFilesize
132KB
-
memory/444-135-0x000002ED1BA90000-0x000002ED1BAB7000-memory.dmpFilesize
156KB
-
memory/444-131-0x000002ED19ED0000-0x000002ED19F0B000-memory.dmpFilesize
236KB
-
memory/444-147-0x000002ED1BE00000-0x000002ED1BF6E000-memory.dmpFilesize
1.4MB
-
memory/444-146-0x000002ED1C2E0000-0x000002ED1C44A000-memory.dmpFilesize
1.4MB
-
memory/444-142-0x000002ED19ED0000-0x000002ED19F0B000-memory.dmpFilesize
236KB
-
memory/444-132-0x000002ED1BC02000-0x000002ED1BC5B000-memory.dmpFilesize
356KB
-
memory/444-130-0x000002ED19BB0000-0x000002ED19BE5000-memory.dmpFilesize
212KB
-
memory/444-144-0x000002ED1BA30000-0x000002ED1BA8F000-memory.dmpFilesize
380KB
-
memory/1968-136-0x0000000000000000-mapping.dmp
-
memory/1968-139-0x000001F077410000-0x000001F077431000-memory.dmpFilesize
132KB
-
memory/1968-152-0x00007FFD622A0000-0x00007FFD62D61000-memory.dmpFilesize
10.8MB
-
memory/1968-138-0x000001F077440000-0x000001F0774BD000-memory.dmpFilesize
500KB
-
memory/1968-137-0x000001F077410000-0x000001F077431000-memory.dmpFilesize
132KB
-
memory/1968-148-0x000001F075F60000-0x000001F075FB0000-memory.dmpFilesize
320KB
-
memory/1968-140-0x000001F0774C0000-0x000001F0774E6000-memory.dmpFilesize
152KB
-
memory/1968-150-0x000001F075FE0000-0x000001F076002000-memory.dmpFilesize
136KB
-
memory/1968-151-0x000001F0774C0000-0x000001F0774E6000-memory.dmpFilesize
152KB
-
memory/1968-141-0x00007FFD622A0000-0x00007FFD62D61000-memory.dmpFilesize
10.8MB