Overview

overview

10

Static

static

b222ec4f02...b7.exe

windows7-x64

4

b222ec4f02...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 17:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b222ec4f02ef7f149f81f4d4a786d5bb59328fa5a8a974ef2186afa487fa2ab7.exe

  • Size

    212KB

  • MD5

    2fc4ca90f84baa191b677cddd62e2a20

  • SHA1

    b50b9b14a197c754e1e30fa9a305e0bda0ea7fb1

  • SHA256

    b222ec4f02ef7f149f81f4d4a786d5bb59328fa5a8a974ef2186afa487fa2ab7

  • SHA512

    d81d62db36fcec520967b32458d7928384f8f9522cfa891fdab66ad27677acb9beb95528aeedc934eaf5591c31249f4924744405600b7a469bfdbd3793358ae8

  • SSDEEP

    3072:pbHHJP19Lhx49Z6J//sLm5Awtk8E7AljslqRwN3mR9R/g:ZJP19Lh/WpWkxAljeo

Score
10/10
evasion

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:664
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:604
        • C:\Windows\system32\fontdrvhost.exe
          "fontdrvhost.exe"
          2⤵
            PID:792
          • C:\Windows\system32\dwm.exe
            "dwm.exe"
            2⤵
              PID:312
          • C:\Windows\system32\fontdrvhost.exe
            "fontdrvhost.exe"
            1⤵
              PID:800
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k RPCSS -p
              1⤵
                PID:896
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                1⤵
                  PID:948
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k DcomLaunch -p
                  1⤵
                    PID:776
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                      2⤵
                        PID:3312
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        2⤵
                          PID:3400
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          2⤵
                            PID:3468
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            2⤵
                              PID:3560
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              2⤵
                                PID:3700
                              • C:\Windows\system32\DllHost.exe
                                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                2⤵
                                  PID:4396
                                • C:\Windows\System32\RuntimeBroker.exe
                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  2⤵
                                    PID:4560
                                  • C:\Windows\system32\wbem\wmiprvse.exe
                                    C:\Windows\system32\wbem\wmiprvse.exe
                                    2⤵
                                      PID:2332
                                    • C:\Windows\system32\SppExtComObj.exe
                                      C:\Windows\system32\SppExtComObj.exe -Embedding
                                      2⤵
                                        PID:3876
                                      • C:\Windows\System32\RuntimeBroker.exe
                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                        2⤵
                                          PID:4800
                                        • C:\Windows\system32\backgroundTaskHost.exe
                                          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                          2⤵
                                            PID:3084
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                          1⤵
                                            PID:532
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                            1⤵
                                              PID:676
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                              1⤵
                                                PID:1300
                                                • C:\Windows\system32\sihost.exe
                                                  sihost.exe
                                                  2⤵
                                                    PID:2420
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                  1⤵
                                                    PID:2704
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                    1⤵
                                                      PID:2692
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                      1⤵
                                                        PID:2716
                                                      • C:\Windows\system32\taskhostw.exe
                                                        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                        1⤵
                                                          PID:2660
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                          1⤵
                                                            PID:2652
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                            1⤵
                                                              PID:2592
                                                            • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                              "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                              1⤵
                                                                PID:2584
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                1⤵
                                                                  PID:2452
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                  1⤵
                                                                    PID:2388
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                    1⤵
                                                                      PID:2380
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                      1⤵
                                                                        PID:2212
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                        1⤵
                                                                          PID:2136
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                          1⤵
                                                                            PID:2100
                                                                          • C:\Windows\System32\spoolsv.exe
                                                                            C:\Windows\System32\spoolsv.exe
                                                                            1⤵
                                                                              PID:2084
                                                                            • C:\Windows\System32\svchost.exe
                                                                              C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                              1⤵
                                                                                PID:1356
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                1⤵
                                                                                  PID:1976
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                  1⤵
                                                                                    PID:1968
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                    1⤵
                                                                                      PID:1916
                                                                                    • C:\Windows\System32\svchost.exe
                                                                                      C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                      1⤵
                                                                                        PID:1816
                                                                                      • C:\Windows\System32\svchost.exe
                                                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                        1⤵
                                                                                          PID:1772
                                                                                        • C:\Windows\System32\svchost.exe
                                                                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                          1⤵
                                                                                            PID:1696
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                            1⤵
                                                                                              PID:1648
                                                                                            • C:\Windows\System32\svchost.exe
                                                                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                              1⤵
                                                                                                PID:1636
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                1⤵
                                                                                                  PID:1576
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                  1⤵
                                                                                                    PID:1524
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                    1⤵
                                                                                                      PID:1432
                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                      1⤵
                                                                                                        PID:1424
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                        1⤵
                                                                                                          PID:1388
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                          1⤵
                                                                                                            PID:1308
                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                            1⤵
                                                                                                              PID:1212
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                              1⤵
                                                                                                                PID:1180
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                                                                                1⤵
                                                                                                                  PID:1088
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                  1⤵
                                                                                                                    PID:1044
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                    1⤵
                                                                                                                      PID:428
                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                      1⤵
                                                                                                                        PID:944
                                                                                                                      • C:\Windows\Explorer.EXE
                                                                                                                        C:\Windows\Explorer.EXE
                                                                                                                        1⤵
                                                                                                                          PID:2576
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\b222ec4f02ef7f149f81f4d4a786d5bb59328fa5a8a974ef2186afa487fa2ab7.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\b222ec4f02ef7f149f81f4d4a786d5bb59328fa5a8a974ef2186afa487fa2ab7.exe"
                                                                                                                            2⤵
                                                                                                                            • Modifies firewall policy service
                                                                                                                            • Drops file in Windows directory
                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                                            PID:4316
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                          1⤵
                                                                                                                            PID:3100
                                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                                            C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                            1⤵
                                                                                                                              PID:5080
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                              1⤵
                                                                                                                                PID:4196
                                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                                C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                1⤵
                                                                                                                                  PID:4680
                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                  1⤵
                                                                                                                                    PID:2204
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                                    1⤵
                                                                                                                                      PID:3324
                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                      1⤵
                                                                                                                                        PID:3124
                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                                                        1⤵
                                                                                                                                          PID:4508

                                                                                                                                        Network

                                                                                                                                          No results found
                                                                                                                                        • 93.184.220.29:80
                                                                                                                                          46 B
                                                                                                                                           40 B
                                                                                                                                           1
                                                                                                                                          1
                                                                                                                                        • 93.184.221.240:80
                                                                                                                                          46 B
                                                                                                                                           1
                                                                                                                                        • 52.182.143.210:443
                                                                                                                                          OfficeClickToRun.exe
                                                                                                                                          322 B
                                                                                                                                           7
                                                                                                                                        • 93.184.220.29:80
                                                                                                                                          wlidsvc
                                                                                                                                          322 B
                                                                                                                                           7
                                                                                                                                        • 93.184.220.29:80
                                                                                                                                          wlidsvc
                                                                                                                                          322 B
                                                                                                                                           7
                                                                                                                                        No results found

                                                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                                                        Replay Monitor

                                                                                                                                        Loading Replay Monitor...

                                                                                                                                        Downloads

                                                                                                                                        • memory/4316-132-0x0000000001000000-0x000000000103C000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          240KB

                                                                                                                                          Download

                                                                                                                                        • memory/4316-133-0x0000000001000000-0x000000000103C000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          240KB

                                                                                                                                          Download

                                                                                                                                        We care about your privacy.

                                                                                                                                        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.