Analysis

  • max time kernel
    600s
  • max time network
    602s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2022 23:31

General

  • Target

    34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe

  • Size

    64KB

  • MD5

    ad92cec45f06a752313a90cda5745c8f

  • SHA1

    a5b23fe8d08154e27e3d86dcec9363429cae6000

  • SHA256

    86b970f6bfcb0f742c3f24a12060ce18008f826c7651a9f3cc5a61112ef43f9a

  • SHA512

    093841b20069ab3e0aab8137104db42a2833af1b457df5c70a5e5e9bc222abd8beb0a038c0ebb8c6df01c4a4aa3e845f09f00928472d05c59ebcefde5ae00920

  • SSDEEP

    1536:/w28qww+saqRhGQruxKHEuj9zsZ6a4sHhN:SwNNGwHRBsZ6UBN

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3476
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:3404
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:3304
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
          1⤵
            PID:3104
          • C:\Windows\Explorer.EXE
            C:\Windows\Explorer.EXE
            1⤵
              PID:2492
              • C:\Users\Admin\AppData\Local\Temp\34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe
                "C:\Users\Admin\AppData\Local\Temp\34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe"
                2⤵
                • Adds Run key to start application
                • Suspicious use of WriteProcessMemory
                PID:4240
                • C:\Users\Admin\AppData\Roaming\KB00885376.exe
                  "C:\Users\Admin\AppData\Roaming\KB00885376.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4392
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\POS643D.tmp.BAT"
                  3⤵
                    PID:2896
              • C:\Windows\system32\taskhostw.exe
                taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                1⤵
                  PID:2960
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                  1⤵
                    PID:2920
                  • C:\Windows\system32\sihost.exe
                    sihost.exe
                    1⤵
                      PID:2872
                    • C:\Windows\system32\backgroundTaskHost.exe
                      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                      1⤵
                        PID:4316
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:4692
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          1⤵
                            PID:3820
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                              PID:3568
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              1⤵
                                PID:1568

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\POS643D.tmp.BAT

                                Filesize

                                340B

                                MD5

                                1538e7d31d6b5e09035cc347bb5b331b

                                SHA1

                                ff2e091fab23194374ed6af225cf61e5ce658c9c

                                SHA256

                                b073bbe35bcdddbaf1b3b71b69358cacdd89fe4a6c32e7f1843a617e54811209

                                SHA512

                                651eedf6a47b99c244615a6645e3959d8df902c924aea7586df35c9661f8147c9b597be83aa3ad8128de69ccb08ad375d9d97927ad6e51c984cece2c9bde620d

                              • C:\Users\Admin\AppData\Roaming\KB00885376.exe

                                Filesize

                                64KB

                                MD5

                                ad92cec45f06a752313a90cda5745c8f

                                SHA1

                                a5b23fe8d08154e27e3d86dcec9363429cae6000

                                SHA256

                                86b970f6bfcb0f742c3f24a12060ce18008f826c7651a9f3cc5a61112ef43f9a

                                SHA512

                                093841b20069ab3e0aab8137104db42a2833af1b457df5c70a5e5e9bc222abd8beb0a038c0ebb8c6df01c4a4aa3e845f09f00928472d05c59ebcefde5ae00920

                              • C:\Users\Admin\AppData\Roaming\KB00885376.exe

                                Filesize

                                64KB

                                MD5

                                ad92cec45f06a752313a90cda5745c8f

                                SHA1

                                a5b23fe8d08154e27e3d86dcec9363429cae6000

                                SHA256

                                86b970f6bfcb0f742c3f24a12060ce18008f826c7651a9f3cc5a61112ef43f9a

                                SHA512

                                093841b20069ab3e0aab8137104db42a2833af1b457df5c70a5e5e9bc222abd8beb0a038c0ebb8c6df01c4a4aa3e845f09f00928472d05c59ebcefde5ae00920

                              • memory/1568-188-0x000000000C6B0000-0x000000000C6D1000-memory.dmp

                                Filesize

                                132KB

                              • memory/2492-152-0x0000000002EA0000-0x0000000002EC1000-memory.dmp

                                Filesize

                                132KB

                              • memory/2872-139-0x000000000F150000-0x000000000F171000-memory.dmp

                                Filesize

                                132KB

                              • memory/2896-135-0x0000000000000000-mapping.dmp

                              • memory/2920-143-0x000000003A8E0000-0x000000003A901000-memory.dmp

                                Filesize

                                132KB

                              • memory/2960-148-0x000000001A430000-0x000000001A451000-memory.dmp

                                Filesize

                                132KB

                              • memory/3104-156-0x00000000205A0000-0x00000000205C1000-memory.dmp

                                Filesize

                                132KB

                              • memory/3304-160-0x000000003F4A0000-0x000000003F4C1000-memory.dmp

                                Filesize

                                132KB

                              • memory/3404-164-0x00000000346F0000-0x0000000034711000-memory.dmp

                                Filesize

                                132KB

                              • memory/3476-168-0x0000000017BD0000-0x0000000017BF1000-memory.dmp

                                Filesize

                                132KB

                              • memory/3568-172-0x000000003C2D0000-0x000000003C2F1000-memory.dmp

                                Filesize

                                132KB

                              • memory/3820-176-0x0000000008D70000-0x0000000008D91000-memory.dmp

                                Filesize

                                132KB

                              • memory/4316-184-0x0000000024C10000-0x0000000024C31000-memory.dmp

                                Filesize

                                132KB

                              • memory/4392-132-0x0000000000000000-mapping.dmp

                              • memory/4392-192-0x0000000003560000-0x0000000003581000-memory.dmp

                                Filesize

                                132KB

                              • memory/4692-180-0x0000000024BC0000-0x0000000024BE1000-memory.dmp

                                Filesize

                                132KB