Overview

overview

10

Static

static

b222ec4f02...b7.exe

windows7-x64

4

b222ec4f02...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b222ec4f02ef7f149f81f4d4a786d5bb59328fa5a8a974ef2186afa487fa2ab7.exe

  • Size

    212KB

  • MD5

    2fc4ca90f84baa191b677cddd62e2a20

  • SHA1

    b50b9b14a197c754e1e30fa9a305e0bda0ea7fb1

  • SHA256

    b222ec4f02ef7f149f81f4d4a786d5bb59328fa5a8a974ef2186afa487fa2ab7

  • SHA512

    d81d62db36fcec520967b32458d7928384f8f9522cfa891fdab66ad27677acb9beb95528aeedc934eaf5591c31249f4924744405600b7a469bfdbd3793358ae8

  • SSDEEP

    3072:pbHHJP19Lhx49Z6J//sLm5Awtk8E7AljslqRwN3mR9R/g:ZJP19Lh/WpWkxAljeo

Score
10/10
evasion

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:664
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:604
        • C:\Windows\system32\fontdrvhost.exe
          "fontdrvhost.exe"
          2⤵
            PID:792
          • C:\Windows\system32\dwm.exe
            "dwm.exe"
            2⤵
              PID:312
          • C:\Windows\system32\fontdrvhost.exe
            "fontdrvhost.exe"
            1⤵
              PID:800
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k RPCSS -p
              1⤵
                PID:896
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                1⤵
                  PID:948
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k DcomLaunch -p
                  1⤵
                    PID:776
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                      2⤵
                        PID:3312
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        2⤵
                          PID:3400
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          2⤵
                            PID:3468
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            2⤵
                              PID:3560
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              2⤵
                                PID:3700
                              • C:\Windows\system32\DllHost.exe
                                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                2⤵
                                  PID:4396
                                • C:\Windows\System32\RuntimeBroker.exe
                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  2⤵
                                    PID:4560
                                  • C:\Windows\system32\wbem\wmiprvse.exe
                                    C:\Windows\system32\wbem\wmiprvse.exe
                                    2⤵
                                      PID:2332
                                    • C:\Windows\system32\SppExtComObj.exe
                                      C:\Windows\system32\SppExtComObj.exe -Embedding
                                      2⤵
                                        PID:3876
                                      • C:\Windows\System32\RuntimeBroker.exe
                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                        2⤵
                                          PID:4800
                                        • C:\Windows\system32\backgroundTaskHost.exe
                                          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                          2⤵
                                            PID:3084
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                          1⤵
                                            PID:532
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                            1⤵
                                              PID:676
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                              1⤵
                                                PID:1300
                                                • C:\Windows\system32\sihost.exe
                                                  sihost.exe
                                                  2⤵
                                                    PID:2420
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                  1⤵
                                                    PID:2704
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                    1⤵
                                                      PID:2692
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                      1⤵
                                                        PID:2716
                                                      • C:\Windows\system32\taskhostw.exe
                                                        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                        1⤵
                                                          PID:2660
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                          1⤵
                                                            PID:2652
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                            1⤵
                                                              PID:2592
                                                            • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                              "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                              1⤵
                                                                PID:2584
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                1⤵
                                                                  PID:2452
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                  1⤵
                                                                    PID:2388
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                    1⤵
                                                                      PID:2380
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                      1⤵
                                                                        PID:2212
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                        1⤵
                                                                          PID:2136
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                          1⤵
                                                                            PID:2100
                                                                          • C:\Windows\System32\spoolsv.exe
                                                                            C:\Windows\System32\spoolsv.exe
                                                                            1⤵
                                                                              PID:2084
                                                                            • C:\Windows\System32\svchost.exe
                                                                              C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                              1⤵
                                                                                PID:1356
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                1⤵
                                                                                  PID:1976
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                  1⤵
                                                                                    PID:1968
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                    1⤵
                                                                                      PID:1916
                                                                                    • C:\Windows\System32\svchost.exe
                                                                                      C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                      1⤵
                                                                                        PID:1816
                                                                                      • C:\Windows\System32\svchost.exe
                                                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                        1⤵
                                                                                          PID:1772
                                                                                        • C:\Windows\System32\svchost.exe
                                                                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                          1⤵
                                                                                            PID:1696
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                            1⤵
                                                                                              PID:1648
                                                                                            • C:\Windows\System32\svchost.exe
                                                                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                              1⤵
                                                                                                PID:1636
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                1⤵
                                                                                                  PID:1576
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                  1⤵
                                                                                                    PID:1524
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                    1⤵
                                                                                                      PID:1432
                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                      1⤵
                                                                                                        PID:1424
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                        1⤵
                                                                                                          PID:1388
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                          1⤵
                                                                                                            PID:1308
                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                            1⤵
                                                                                                              PID:1212
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                              1⤵
                                                                                                                PID:1180
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                                                                                1⤵
                                                                                                                  PID:1088
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                  1⤵
                                                                                                                    PID:1044
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                    1⤵
                                                                                                                      PID:428
                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                      1⤵
                                                                                                                        PID:944
                                                                                                                      • C:\Windows\Explorer.EXE
                                                                                                                        C:\Windows\Explorer.EXE
                                                                                                                        1⤵
                                                                                                                          PID:2576
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\b222ec4f02ef7f149f81f4d4a786d5bb59328fa5a8a974ef2186afa487fa2ab7.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\b222ec4f02ef7f149f81f4d4a786d5bb59328fa5a8a974ef2186afa487fa2ab7.exe"
                                                                                                                            2⤵
                                                                                                                            • Modifies firewall policy service
                                                                                                                            • Drops file in Windows directory
                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                                            PID:4316
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                          1⤵
                                                                                                                            PID:3100
                                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                                            C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                            1⤵
                                                                                                                              PID:5080
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                              1⤵
                                                                                                                                PID:4196
                                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                                C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                1⤵
                                                                                                                                  PID:4680
                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                  1⤵
                                                                                                                                    PID:2204
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                                    1⤵
                                                                                                                                      PID:3324
                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                      1⤵
                                                                                                                                        PID:3124
                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                                                        1⤵
                                                                                                                                          PID:4508

                                                                                                                                        Network

                                                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                                                        Replay Monitor

                                                                                                                                        Loading Replay Monitor...

                                                                                                                                        Downloads

                                                                                                                                        • memory/4316-132-0x0000000001000000-0x000000000103C000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          240KB

                                                                                                                                          Download

                                                                                                                                        • memory/4316-133-0x0000000001000000-0x000000000103C000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          240KB

                                                                                                                                          Download