Analysis
-
max time kernel
173s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
11/10/2022, 22:42
General
-
Target
60bdf67aa7e1f6f217d7039fd43a47fc84db18dec467e0ce4feefa675965a69d.exe
-
Size
360KB
-
MD5
7c93c64b616ef9b4799ac4cb226d00c3
-
SHA1
b227aa48be16c21c94da5cc20e88d4e6ff0c1393
-
SHA256
60bdf67aa7e1f6f217d7039fd43a47fc84db18dec467e0ce4feefa675965a69d
-
SHA512
5716b68d37832ad307d49d44491099d5e08cd7bcd7d2eb6a0310b33a78bcd9184020f91bd9b8b916fe3a9b69b5d6ecbd5e0fe9650843e1455b7b27c08e7c72af
-
SSDEEP
6144:3ZkykQRjhViHamAOxUCHyLSq8dkbpxIXPIlIFXn8C4:3ZkyrjhViHHxnSyKwPYIF6
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 5 IoCs
-
Program crash 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of UnmapMainImage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\60bdf67aa7e1f6f217d7039fd43a47fc84db18dec467e0ce4feefa675965a69d.exe"C:\Users\Admin\AppData\Local\Temp\60bdf67aa7e1f6f217d7039fd43a47fc84db18dec467e0ce4feefa675965a69d.exe"2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\60bdf67aa7e1f6f217d7039fd43a47fc84db18dec467e0ce4feefa675965a69dmgr.exeC:\Users\Admin\AppData\Local\Temp\60bdf67aa7e1f6f217d7039fd43a47fc84db18dec467e0ce4feefa675965a69dmgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\60bdf67aa7e1f6f217d7039fd43a47fc84db18dec467e0ce4feefa675965a69dmgrmgr.exeC:\Users\Admin\AppData\Local\Temp\60bdf67aa7e1f6f217d7039fd43a47fc84db18dec467e0ce4feefa675965a69dmgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 2047⤵
- Program crash
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4976 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3196 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 3044⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 12643⤵
- Program crash
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4216 -ip 42161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4000 -ip 40001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 392 -ip 3921⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5182e2e19ca5e79941fb2add9ef7a0cee
SHA1e6eb18b0358514bad3172307dfc9a6524587cb23
SHA2568416706fa0f322ff2e7464e12c58096117f31675131d023792dd16800d1cc384
SHA5127e9852764e0726a0816f9f66bef88391c21df49c3d2b329d4f70eb95b3bf9d1eb62294c3c92249c5e5da1a6f6534852129a7dedef01dfae19d05c4ee3b20db3d
-
Filesize
92KB
MD5182e2e19ca5e79941fb2add9ef7a0cee
SHA1e6eb18b0358514bad3172307dfc9a6524587cb23
SHA2568416706fa0f322ff2e7464e12c58096117f31675131d023792dd16800d1cc384
SHA5127e9852764e0726a0816f9f66bef88391c21df49c3d2b329d4f70eb95b3bf9d1eb62294c3c92249c5e5da1a6f6534852129a7dedef01dfae19d05c4ee3b20db3d
-
Filesize
3KB
MD5095e8027f15a91be4868d9c24a5c4f84
SHA139c4cf76cea46514d66477c8f332de7131389af1
SHA256a41889bb7c07c831ea503d05abd04c39e8d2c94b272b1af54a4d73e9aeec0b4f
SHA51220967a8d6cfaec56052f32085171463caaf4edeb2ef313955fa99f32433d5a50f349b4d1b5a482fb63de26fb5c9aba670ba4233d721fd703d5cbfb89ca84c6c6
-
Filesize
3KB
MD57624a6938ece6dc5196c1a0139fed88d
SHA1982c6b56f50d1481a2800f9c051959f3e63a1258
SHA2566a64ec23b2624ad23646d6e340d8c24427829ababbd98b5b6b5a467f207861dd
SHA512080c05db3c383b84f3bee4be48f921bbb810925182471e7b29fa9ca03c57a84143316b745b2e4a80527fe9da8962a86b3deefa6a4bdc64f08f90d37442db2b3c
-
Filesize
234KB
MD5c73f8db0051d910256c159e01ff83809
SHA14acdf9d84ae0a783448c55da4d91a25845ca4ada
SHA256b739c0110bc5258318b13cff88d5ca27d3a46727d40d4a3d5422c6e908b0f636
SHA512f6b1d4e2b0a39573459051be8e3cedd896d03d4280bf423ff8302074e6a26f3d23903da59150c315971eb41fd0e1527bcff6242acba3165f7abc8d8ce35dba97
-
Filesize
234KB
MD5c73f8db0051d910256c159e01ff83809
SHA14acdf9d84ae0a783448c55da4d91a25845ca4ada
SHA256b739c0110bc5258318b13cff88d5ca27d3a46727d40d4a3d5422c6e908b0f636
SHA512f6b1d4e2b0a39573459051be8e3cedd896d03d4280bf423ff8302074e6a26f3d23903da59150c315971eb41fd0e1527bcff6242acba3165f7abc8d8ce35dba97
-
Filesize
92KB
MD5182e2e19ca5e79941fb2add9ef7a0cee
SHA1e6eb18b0358514bad3172307dfc9a6524587cb23
SHA2568416706fa0f322ff2e7464e12c58096117f31675131d023792dd16800d1cc384
SHA5127e9852764e0726a0816f9f66bef88391c21df49c3d2b329d4f70eb95b3bf9d1eb62294c3c92249c5e5da1a6f6534852129a7dedef01dfae19d05c4ee3b20db3d
-
Filesize
92KB
MD5182e2e19ca5e79941fb2add9ef7a0cee
SHA1e6eb18b0358514bad3172307dfc9a6524587cb23
SHA2568416706fa0f322ff2e7464e12c58096117f31675131d023792dd16800d1cc384
SHA5127e9852764e0726a0816f9f66bef88391c21df49c3d2b329d4f70eb95b3bf9d1eb62294c3c92249c5e5da1a6f6534852129a7dedef01dfae19d05c4ee3b20db3d
-
Filesize
552KB
-
Filesize
552KB
-
Filesize
552KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
132KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
48KB
-
Filesize
280KB
-
Filesize
48KB
-
Filesize
132KB
-
Filesize
280KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
48KB
-
Filesize
152KB
-
Filesize
132KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB