Analysis
-
max time kernel
145s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
newbithere20054rfds.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
newbithere20054rfds.exe
Resource
win10v2004-20220812-en
General
-
Target
newbithere20054rfds.exe
-
Size
300.0MB
-
MD5
9edb373bba31ed74e5635c8ba1ccbc24
-
SHA1
7826110d94ad641b3cbed3eaa1c4e1ab5e329e26
-
SHA256
cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235
-
SHA512
90c56b8545767b8b3b3292ebc71d4683b6ff0c2e0fc1135159357707bfb462878c8044eced0f6138e7771d3db3c6e8a1b363d7663fd3e5e50f46254f22ee54e4
-
SSDEEP
24576:KQWUrKeG3ggoqRwkqbQsH50RPoE+G3ttsP2V4MM9obzQLAmLGAs4DyAunLw+6aI9:K2KtBCR3qP+JeO+/m6yDL9aITLUp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
pojhg.exepid process 4752 pojhg.exe -
Processes:
resource yara_rule behavioral2/memory/4412-140-0x00000000005C0000-0x00000000009A4000-memory.dmp upx behavioral2/memory/4412-141-0x00000000005C0000-0x00000000009A4000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
newbithere20054rfds.exedescription pid process target process PID 2468 set thread context of 4412 2468 newbithere20054rfds.exe RegAsm.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1540 4412 WerFault.exe RegAsm.exe 2500 4412 WerFault.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
newbithere20054rfds.execmd.exedescription pid process target process PID 2468 wrote to memory of 3556 2468 newbithere20054rfds.exe cmd.exe PID 2468 wrote to memory of 3556 2468 newbithere20054rfds.exe cmd.exe PID 2468 wrote to memory of 3556 2468 newbithere20054rfds.exe cmd.exe PID 3556 wrote to memory of 1784 3556 cmd.exe schtasks.exe PID 3556 wrote to memory of 1784 3556 cmd.exe schtasks.exe PID 3556 wrote to memory of 1784 3556 cmd.exe schtasks.exe PID 2468 wrote to memory of 1988 2468 newbithere20054rfds.exe cmd.exe PID 2468 wrote to memory of 1988 2468 newbithere20054rfds.exe cmd.exe PID 2468 wrote to memory of 1988 2468 newbithere20054rfds.exe cmd.exe PID 2468 wrote to memory of 4412 2468 newbithere20054rfds.exe RegAsm.exe PID 2468 wrote to memory of 4412 2468 newbithere20054rfds.exe RegAsm.exe PID 2468 wrote to memory of 4412 2468 newbithere20054rfds.exe RegAsm.exe PID 2468 wrote to memory of 4412 2468 newbithere20054rfds.exe RegAsm.exe PID 2468 wrote to memory of 4412 2468 newbithere20054rfds.exe RegAsm.exe PID 2468 wrote to memory of 4412 2468 newbithere20054rfds.exe RegAsm.exe PID 2468 wrote to memory of 4412 2468 newbithere20054rfds.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\newbithere20054rfds.exe"C:\Users\Admin\AppData\Local\Temp\newbithere20054rfds.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\pojhg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\pojhg.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\newbithere20054rfds.exe" "C:\Users\Admin\AppData\Roaming\pojhg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 5363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 5403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4412 -ip 44121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4412 -ip 44121⤵
-
C:\Users\Admin\AppData\Roaming\pojhg.exeC:\Users\Admin\AppData\Roaming\pojhg.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\pojhg.exeFilesize
289.9MB
MD5369c133b2eda280b590ddd287bea9cc2
SHA12721a9498c556cf1a2fcecf0b5cade2a63f13cd6
SHA256678b9591094140ba2017f2d4a7632f62b1cee76c0b0e85145f110db2a7464b42
SHA512348f4f49249bfb96f2d4afd444e705c958d8fcc180f9fe4d6e439d35c697f4eeb4739a99f91fb734cc37fd2e9d334d538826b8d77b14b3b64b426a766d96288d
-
C:\Users\Admin\AppData\Roaming\pojhg.exeFilesize
288.9MB
MD5e8c48f407d70ba246ff818fd3320ef06
SHA1f06488416b12a83eac6608ea89a2ddb9992efb39
SHA256a06900bc010e4eccb237bcf6ccc2753e28bb9230ff61a96a6675b188d62f509c
SHA5123d782002dd111bec0e0212d967e5129cdd4e820a40e0c03549f45533a7eb3d8d3866c7dd553554f8d9dcc4b3f49993175f6ad17a39297130cc960c8cd0f6ff85
-
memory/1784-135-0x0000000000000000-mapping.dmp
-
memory/1988-137-0x0000000000000000-mapping.dmp
-
memory/2468-132-0x0000000000320000-0x00000000004B2000-memory.dmpFilesize
1.6MB
-
memory/2468-133-0x0000000004DD0000-0x0000000004E36000-memory.dmpFilesize
408KB
-
memory/2468-136-0x00000000057B0000-0x0000000005D54000-memory.dmpFilesize
5.6MB
-
memory/3556-134-0x0000000000000000-mapping.dmp
-
memory/4412-138-0x0000000000000000-mapping.dmp
-
memory/4412-140-0x00000000005C0000-0x00000000009A4000-memory.dmpFilesize
3.9MB
-
memory/4412-141-0x00000000005C0000-0x00000000009A4000-memory.dmpFilesize
3.9MB