Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
08-10-2022 23:33
Static task
static1
Behavioral task
behavioral1
Sample
51fbd9b892ec6a9d9c66dc4c43a336f1f68822ed7f947addfaa4c4064f26e2d7.exe
Resource
win10-20220812-en
General
-
Target
51fbd9b892ec6a9d9c66dc4c43a336f1f68822ed7f947addfaa4c4064f26e2d7.exe
-
Size
733KB
-
MD5
0aacf01f34faf19c9bbc0e7a1d6cadfc
-
SHA1
c69cc95e0bd0cfc732684c49a3fe9d250bad04c0
-
SHA256
51fbd9b892ec6a9d9c66dc4c43a336f1f68822ed7f947addfaa4c4064f26e2d7
-
SHA512
b140b29eedaed53ffb6703d45e9b58f144ff505f5bd61015db167126ad7ef2aaaaa33a672d95588ae0cac51e4f3a04bc07eea23e53a487621ae2fd28355f8bcd
-
SSDEEP
768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1884 dllhost.exe -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" dllhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4304 schtasks.exe 4692 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5040 powershell.exe 5040 powershell.exe 5040 powershell.exe 400 powershell.exe 1884 dllhost.exe 400 powershell.exe 400 powershell.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe 1884 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5040 powershell.exe Token: SeDebugPrivilege 2196 51fbd9b892ec6a9d9c66dc4c43a336f1f68822ed7f947addfaa4c4064f26e2d7.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 1884 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 4148 2196 51fbd9b892ec6a9d9c66dc4c43a336f1f68822ed7f947addfaa4c4064f26e2d7.exe 66 PID 2196 wrote to memory of 4148 2196 51fbd9b892ec6a9d9c66dc4c43a336f1f68822ed7f947addfaa4c4064f26e2d7.exe 66 PID 2196 wrote to memory of 4148 2196 51fbd9b892ec6a9d9c66dc4c43a336f1f68822ed7f947addfaa4c4064f26e2d7.exe 66 PID 4148 wrote to memory of 1432 4148 cmd.exe 68 PID 4148 wrote to memory of 1432 4148 cmd.exe 68 PID 4148 wrote to memory of 1432 4148 cmd.exe 68 PID 4148 wrote to memory of 5040 4148 cmd.exe 69 PID 4148 wrote to memory of 5040 4148 cmd.exe 69 PID 4148 wrote to memory of 5040 4148 cmd.exe 69 PID 4148 wrote to memory of 400 4148 cmd.exe 70 PID 4148 wrote to memory of 400 4148 cmd.exe 70 PID 4148 wrote to memory of 400 4148 cmd.exe 70 PID 2196 wrote to memory of 1884 2196 51fbd9b892ec6a9d9c66dc4c43a336f1f68822ed7f947addfaa4c4064f26e2d7.exe 71 PID 2196 wrote to memory of 1884 2196 51fbd9b892ec6a9d9c66dc4c43a336f1f68822ed7f947addfaa4c4064f26e2d7.exe 71 PID 2196 wrote to memory of 1884 2196 51fbd9b892ec6a9d9c66dc4c43a336f1f68822ed7f947addfaa4c4064f26e2d7.exe 71 PID 1884 wrote to memory of 1288 1884 dllhost.exe 72 PID 1884 wrote to memory of 1288 1884 dllhost.exe 72 PID 1884 wrote to memory of 1288 1884 dllhost.exe 72 PID 1884 wrote to memory of 3472 1884 dllhost.exe 73 PID 1884 wrote to memory of 3472 1884 dllhost.exe 73 PID 1884 wrote to memory of 3472 1884 dllhost.exe 73 PID 1884 wrote to memory of 3596 1884 dllhost.exe 76 PID 1884 wrote to memory of 3596 1884 dllhost.exe 76 PID 1884 wrote to memory of 3596 1884 dllhost.exe 76 PID 1884 wrote to memory of 3292 1884 dllhost.exe 74 PID 1884 wrote to memory of 3292 1884 dllhost.exe 74 PID 1884 wrote to memory of 3292 1884 dllhost.exe 74 PID 1884 wrote to memory of 4832 1884 dllhost.exe 75 PID 1884 wrote to memory of 4832 1884 dllhost.exe 75 PID 1884 wrote to memory of 4832 1884 dllhost.exe 75 PID 1884 wrote to memory of 4764 1884 dllhost.exe 77 PID 1884 wrote to memory of 4764 1884 dllhost.exe 77 PID 1884 wrote to memory of 4764 1884 dllhost.exe 77 PID 1884 wrote to memory of 776 1884 dllhost.exe 78 PID 1884 wrote to memory of 776 1884 dllhost.exe 78 PID 1884 wrote to memory of 776 1884 dllhost.exe 78 PID 1884 wrote to memory of 3720 1884 dllhost.exe 82 PID 1884 wrote to memory of 3720 1884 dllhost.exe 82 PID 1884 wrote to memory of 3720 1884 dllhost.exe 82 PID 1884 wrote to memory of 4264 1884 dllhost.exe 81 PID 1884 wrote to memory of 4264 1884 dllhost.exe 81 PID 1884 wrote to memory of 4264 1884 dllhost.exe 81 PID 1884 wrote to memory of 3856 1884 dllhost.exe 86 PID 1884 wrote to memory of 3856 1884 dllhost.exe 86 PID 1884 wrote to memory of 3856 1884 dllhost.exe 86 PID 1884 wrote to memory of 2220 1884 dllhost.exe 90 PID 1884 wrote to memory of 2220 1884 dllhost.exe 90 PID 1884 wrote to memory of 2220 1884 dllhost.exe 90 PID 1884 wrote to memory of 4988 1884 dllhost.exe 88 PID 1884 wrote to memory of 4988 1884 dllhost.exe 88 PID 1884 wrote to memory of 4988 1884 dllhost.exe 88 PID 1288 wrote to memory of 4692 1288 cmd.exe 96 PID 1288 wrote to memory of 4692 1288 cmd.exe 96 PID 1288 wrote to memory of 4692 1288 cmd.exe 96 PID 4764 wrote to memory of 4304 4764 cmd.exe 97 PID 4764 wrote to memory of 4304 4764 cmd.exe 97 PID 4764 wrote to memory of 4304 4764 cmd.exe 97 PID 1884 wrote to memory of 3484 1884 dllhost.exe 98 PID 1884 wrote to memory of 3484 1884 dllhost.exe 98 PID 1884 wrote to memory of 3484 1884 dllhost.exe 98 PID 3484 wrote to memory of 4344 3484 cmd.exe 100 PID 3484 wrote to memory of 4344 3484 cmd.exe 100 PID 3484 wrote to memory of 4344 3484 cmd.exe 100 PID 1884 wrote to memory of 4788 1884 dllhost.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\51fbd9b892ec6a9d9c66dc4c43a336f1f68822ed7f947addfaa4c4064f26e2d7.exe"C:\Users\Admin\AppData\Local\Temp\51fbd9b892ec6a9d9c66dc4c43a336f1f68822ed7f947addfaa4c4064f26e2d7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"2⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵PID:1432
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
-
C:\ProgramData\Dllhost\dllhost.exe"C:\ProgramData\Dllhost\dllhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
PID:4692
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:3472
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:3292
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:4832
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:3596
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
PID:4304
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:776
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2414" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:4264
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:3720
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3285" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:3856
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk3191" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:4988
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9060" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:2220
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off3⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\chcp.comchcp 12514⤵PID:4344
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off3⤵PID:4788
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵PID:1796
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
960KB
MD5a0ab39a2d5ddf34264be20cc24e8f59f
SHA19ed17334867722f7708d90813eb96e547155370f
SHA256463ecea6325f60cc96a94e71e48fa850642cdd8b60106f111360a13a25821ed5
SHA512e5f445d463f90c5874fc9c9fadf95ced4686195292380e51142764450237b68d233906c0b5b91203cfae094ef29bc3296c9f2430e5e3790b571127791d2f3c6c
-
Filesize
960KB
MD5a0ab39a2d5ddf34264be20cc24e8f59f
SHA19ed17334867722f7708d90813eb96e547155370f
SHA256463ecea6325f60cc96a94e71e48fa850642cdd8b60106f111360a13a25821ed5
SHA512e5f445d463f90c5874fc9c9fadf95ced4686195292380e51142764450237b68d233906c0b5b91203cfae094ef29bc3296c9f2430e5e3790b571127791d2f3c6c
-
Filesize
497B
MD513fda2ab01b83a5130842a5bab3892d3
SHA16e18e4b467cde054a63a95d4dfc030f156ecd215
SHA25676973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e
SHA512c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc
-
Filesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
Filesize
18KB
MD569e159bfa117fff8966d58be440bfd82
SHA10a6fa31ba95cb6bf97a6b8043ec72501e3012a70
SHA25631c1511c091cd39065cd48969acae031de282ed190496e3b0c8dfd4a0ca3ac85
SHA512891882cd20d349d0f2e18fe0b67d0c250dfef1cbd5cdf996f53c32269ed2b69c858200eead3a66df4fcca7e0c55bfbb42b856cfb3d065c6e15f2ce581f1fc696