Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 07:05
Behavioral task
behavioral1
Sample
caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe
Resource
win10v2004-20220812-en
General
-
Target
caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe
-
Size
72KB
-
MD5
e0770f68d015a398c13d8918a6751aa3
-
SHA1
7d7874784b9a2fe223531bac40d400e1d5bf8f8f
-
SHA256
caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6
-
SHA512
6555e264fd66f551f285a67e8383c4552e0be54442f619870fc79447a42cd4da4b9313811683a74c46d969bb2b668936045d68f16f4ed58cd7eba2106cb49b39
-
SSDEEP
1536:qFiusdglLI8cH+9g0FDDZtFMfav7V5F5erqjzssdQLXKvhCj18n:qsusdBBH+9g4mC7V5F5/zssdhsJ8n
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1296 created 1020 1296 svchost.exe dwm.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
123.exepid process 1572 123.exe -
Processes:
resource yara_rule behavioral1/memory/4800-132-0x00007FF75A030000-0x00007FF75A055000-memory.dmp upx behavioral1/memory/4800-135-0x00007FF75A030000-0x00007FF75A055000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
123.exepid process 1572 123.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
123.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaa = "C:\\Users\\Public\\123.exe" 123.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe123.exesvchost.exepid process 4800 caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe 4800 caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe 4800 caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe 4800 caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe 1572 123.exe 1572 123.exe 1572 123.exe 1572 123.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe 3460 svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exesvchost.exedescription pid process Token: SeDebugPrivilege 4800 caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe Token: SeImpersonatePrivilege 4800 caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe Token: SeTcbPrivilege 1296 svchost.exe Token: SeTcbPrivilege 1296 svchost.exe Token: SeDebugPrivilege 4800 caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe Token: SeImpersonatePrivilege 4800 caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
svchost.exe123.exedescription pid process target process PID 1296 wrote to memory of 1572 1296 svchost.exe 123.exe PID 1296 wrote to memory of 1572 1296 svchost.exe 123.exe PID 1296 wrote to memory of 1572 1296 svchost.exe 123.exe PID 1572 wrote to memory of 3460 1572 123.exe svchost.exe PID 1572 wrote to memory of 3460 1572 123.exe svchost.exe PID 1572 wrote to memory of 3460 1572 123.exe svchost.exe PID 1572 wrote to memory of 3460 1572 123.exe svchost.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\123.exeC:\123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\svchost.exec:\windows\SysWOW64\svchost.exe3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe"C:\Users\Admin\AppData\Local\Temp\caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\123.exeFilesize
1.6MB
MD55d8ab1d3b48afab34fab8930c3e56793
SHA164c4e251af2970abc2e24bc3c3de0448103afd6d
SHA25686ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4
SHA512f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085
-
C:\123.exeFilesize
1.6MB
MD55d8ab1d3b48afab34fab8930c3e56793
SHA164c4e251af2970abc2e24bc3c3de0448103afd6d
SHA25686ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4
SHA512f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085
-
C:\libcef.dllFilesize
90KB
MD512b71771467bb1d2d2f5f1a793836f7a
SHA18c86374aa8a4604be47dbe2b9cd84885f04a1cb4
SHA256ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87
SHA51259e80e81afd24abf102dde95bca8f07492c35c854b1744d51b4438be445449385d8865f4567010c20aeb042b2d39cf71e5e6e4d870073e4c500315721c62dac4
-
C:\libcef.dllFilesize
90KB
MD512b71771467bb1d2d2f5f1a793836f7a
SHA18c86374aa8a4604be47dbe2b9cd84885f04a1cb4
SHA256ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87
SHA51259e80e81afd24abf102dde95bca8f07492c35c854b1744d51b4438be445449385d8865f4567010c20aeb042b2d39cf71e5e6e4d870073e4c500315721c62dac4
-
memory/1572-133-0x0000000000000000-mapping.dmp
-
memory/3460-139-0x0000000000000000-mapping.dmp
-
memory/3460-140-0x0000000010000000-0x0000000010026000-memory.dmpFilesize
152KB
-
memory/3460-143-0x0000000001190000-0x00000000011DE000-memory.dmpFilesize
312KB
-
memory/4800-132-0x00007FF75A030000-0x00007FF75A055000-memory.dmpFilesize
148KB
-
memory/4800-135-0x00007FF75A030000-0x00007FF75A055000-memory.dmpFilesize
148KB