Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 07:01
Static task
static1
Behavioral task
behavioral1
Sample
46ee250665a9309d49ff4efa9b6de0c5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
46ee250665a9309d49ff4efa9b6de0c5.exe
Resource
win10v2004-20220901-en
General
-
Target
46ee250665a9309d49ff4efa9b6de0c5.exe
-
Size
129KB
-
MD5
46ee250665a9309d49ff4efa9b6de0c5
-
SHA1
50d0c50fbe6e602546eca3ca6190196ea68e9a81
-
SHA256
45136071c0cb88b6cbf83675992b439590a0f3425c6f3a8ee548c5228d0d9e6f
-
SHA512
87afabbd3816148385dd5e31d45bc976414027f7850a0836426ae5ad6bf9417376cfd4fb5142972565fa462ba264e0de9791e9f870dff1e1bb922137e875d30f
-
SSDEEP
3072:OHuz0Qb6GVlzsmn0+ZIOviaV0k4XoVlJ8n:OE0Q28omnlZsWJO
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2460 created 1016 2460 svchost.exe dwm.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
1234.exepid process 2396 1234.exe -
Loads dropped DLL 1 IoCs
Processes:
1234.exepid process 2396 1234.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1234.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaa = "C:\\Users\\Public\\1234.exe" 1234.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
46ee250665a9309d49ff4efa9b6de0c5.exe1234.exesvchost.exepid process 4856 46ee250665a9309d49ff4efa9b6de0c5.exe 4856 46ee250665a9309d49ff4efa9b6de0c5.exe 4856 46ee250665a9309d49ff4efa9b6de0c5.exe 4856 46ee250665a9309d49ff4efa9b6de0c5.exe 2396 1234.exe 2396 1234.exe 2396 1234.exe 2396 1234.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
46ee250665a9309d49ff4efa9b6de0c5.exesvchost.exedescription pid process Token: SeDebugPrivilege 4856 46ee250665a9309d49ff4efa9b6de0c5.exe Token: SeImpersonatePrivilege 4856 46ee250665a9309d49ff4efa9b6de0c5.exe Token: SeTcbPrivilege 2460 svchost.exe Token: SeTcbPrivilege 2460 svchost.exe Token: SeDebugPrivilege 4856 46ee250665a9309d49ff4efa9b6de0c5.exe Token: SeImpersonatePrivilege 4856 46ee250665a9309d49ff4efa9b6de0c5.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
svchost.exe1234.exedescription pid process target process PID 2460 wrote to memory of 2396 2460 svchost.exe 1234.exe PID 2460 wrote to memory of 2396 2460 svchost.exe 1234.exe PID 2460 wrote to memory of 2396 2460 svchost.exe 1234.exe PID 2396 wrote to memory of 2708 2396 1234.exe svchost.exe PID 2396 wrote to memory of 2708 2396 1234.exe svchost.exe PID 2396 wrote to memory of 2708 2396 1234.exe svchost.exe PID 2396 wrote to memory of 2708 2396 1234.exe svchost.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\1234.exeC:\1234.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\svchost.exec:\windows\SysWOW64\svchost.exe3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\46ee250665a9309d49ff4efa9b6de0c5.exe"C:\Users\Admin\AppData\Local\Temp\46ee250665a9309d49ff4efa9b6de0c5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\1234.exeFilesize
1.6MB
MD55d8ab1d3b48afab34fab8930c3e56793
SHA164c4e251af2970abc2e24bc3c3de0448103afd6d
SHA25686ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4
SHA512f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085
-
C:\1234.exeFilesize
1.6MB
MD55d8ab1d3b48afab34fab8930c3e56793
SHA164c4e251af2970abc2e24bc3c3de0448103afd6d
SHA25686ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4
SHA512f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085
-
C:\libcef.dllFilesize
90KB
MD512b71771467bb1d2d2f5f1a793836f7a
SHA18c86374aa8a4604be47dbe2b9cd84885f04a1cb4
SHA256ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87
SHA51259e80e81afd24abf102dde95bca8f07492c35c854b1744d51b4438be445449385d8865f4567010c20aeb042b2d39cf71e5e6e4d870073e4c500315721c62dac4
-
C:\libcef.dllFilesize
90KB
MD512b71771467bb1d2d2f5f1a793836f7a
SHA18c86374aa8a4604be47dbe2b9cd84885f04a1cb4
SHA256ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87
SHA51259e80e81afd24abf102dde95bca8f07492c35c854b1744d51b4438be445449385d8865f4567010c20aeb042b2d39cf71e5e6e4d870073e4c500315721c62dac4
-
memory/2396-132-0x0000000000000000-mapping.dmp
-
memory/2708-137-0x0000000000000000-mapping.dmp
-
memory/2708-138-0x0000000010000000-0x0000000010026000-memory.dmpFilesize
152KB
-
memory/2708-141-0x0000000001880000-0x00000000018CE000-memory.dmpFilesize
312KB