Analysis
-
max time kernel
600s -
max time network
602s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2022 23:31
Static task
static1
Behavioral task
behavioral1
Sample
34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe
Resource
win10v2004-20220812-en
General
-
Target
34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe
-
Size
64KB
-
MD5
ad92cec45f06a752313a90cda5745c8f
-
SHA1
a5b23fe8d08154e27e3d86dcec9363429cae6000
-
SHA256
86b970f6bfcb0f742c3f24a12060ce18008f826c7651a9f3cc5a61112ef43f9a
-
SHA512
093841b20069ab3e0aab8137104db42a2833af1b457df5c70a5e5e9bc222abd8beb0a038c0ebb8c6df01c4a4aa3e845f09f00928472d05c59ebcefde5ae00920
-
SSDEEP
1536:/w28qww+saqRhGQruxKHEuj9zsZ6a4sHhN:SwNNGwHRBsZ6UBN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4392 KB00885376.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run 34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KB00885376.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\KB00885376.exe\"" 34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe 4392 KB00885376.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4392 KB00885376.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4240 wrote to memory of 4392 4240 34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe 81 PID 4240 wrote to memory of 4392 4240 34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe 81 PID 4240 wrote to memory of 4392 4240 34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe 81 PID 4240 wrote to memory of 2896 4240 34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe 82 PID 4240 wrote to memory of 2896 4240 34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe 82 PID 4240 wrote to memory of 2896 4240 34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe 82 PID 4392 wrote to memory of 2872 4392 KB00885376.exe 22 PID 4392 wrote to memory of 2872 4392 KB00885376.exe 22 PID 4392 wrote to memory of 2872 4392 KB00885376.exe 22 PID 4392 wrote to memory of 2872 4392 KB00885376.exe 22 PID 4392 wrote to memory of 2872 4392 KB00885376.exe 22 PID 4392 wrote to memory of 2920 4392 KB00885376.exe 21 PID 4392 wrote to memory of 2920 4392 KB00885376.exe 21 PID 4392 wrote to memory of 2920 4392 KB00885376.exe 21 PID 4392 wrote to memory of 2920 4392 KB00885376.exe 21 PID 4392 wrote to memory of 2920 4392 KB00885376.exe 21 PID 4392 wrote to memory of 2960 4392 KB00885376.exe 20 PID 4392 wrote to memory of 2960 4392 KB00885376.exe 20 PID 4392 wrote to memory of 2960 4392 KB00885376.exe 20 PID 4392 wrote to memory of 2960 4392 KB00885376.exe 20 PID 4392 wrote to memory of 2960 4392 KB00885376.exe 20 PID 4392 wrote to memory of 2492 4392 KB00885376.exe 19 PID 4392 wrote to memory of 2492 4392 KB00885376.exe 19 PID 4392 wrote to memory of 2492 4392 KB00885376.exe 19 PID 4392 wrote to memory of 2492 4392 KB00885376.exe 19 PID 4392 wrote to memory of 2492 4392 KB00885376.exe 19 PID 4392 wrote to memory of 3104 4392 KB00885376.exe 18 PID 4392 wrote to memory of 3104 4392 KB00885376.exe 18 PID 4392 wrote to memory of 3104 4392 KB00885376.exe 18 PID 4392 wrote to memory of 3104 4392 KB00885376.exe 18 PID 4392 wrote to memory of 3104 4392 KB00885376.exe 18 PID 4392 wrote to memory of 3304 4392 KB00885376.exe 17 PID 4392 wrote to memory of 3304 4392 KB00885376.exe 17 PID 4392 wrote to memory of 3304 4392 KB00885376.exe 17 PID 4392 wrote to memory of 3304 4392 KB00885376.exe 17 PID 4392 wrote to memory of 3304 4392 KB00885376.exe 17 PID 4392 wrote to memory of 3404 4392 KB00885376.exe 16 PID 4392 wrote to memory of 3404 4392 KB00885376.exe 16 PID 4392 wrote to memory of 3404 4392 KB00885376.exe 16 PID 4392 wrote to memory of 3404 4392 KB00885376.exe 16 PID 4392 wrote to memory of 3404 4392 KB00885376.exe 16 PID 4392 wrote to memory of 3476 4392 KB00885376.exe 15 PID 4392 wrote to memory of 3476 4392 KB00885376.exe 15 PID 4392 wrote to memory of 3476 4392 KB00885376.exe 15 PID 4392 wrote to memory of 3476 4392 KB00885376.exe 15 PID 4392 wrote to memory of 3476 4392 KB00885376.exe 15 PID 4392 wrote to memory of 3568 4392 KB00885376.exe 49 PID 4392 wrote to memory of 3568 4392 KB00885376.exe 49 PID 4392 wrote to memory of 3568 4392 KB00885376.exe 49 PID 4392 wrote to memory of 3568 4392 KB00885376.exe 49 PID 4392 wrote to memory of 3568 4392 KB00885376.exe 49 PID 4392 wrote to memory of 3820 4392 KB00885376.exe 48 PID 4392 wrote to memory of 3820 4392 KB00885376.exe 48 PID 4392 wrote to memory of 3820 4392 KB00885376.exe 48 PID 4392 wrote to memory of 3820 4392 KB00885376.exe 48 PID 4392 wrote to memory of 3820 4392 KB00885376.exe 48 PID 4392 wrote to memory of 4692 4392 KB00885376.exe 45 PID 4392 wrote to memory of 4692 4392 KB00885376.exe 45 PID 4392 wrote to memory of 4692 4392 KB00885376.exe 45 PID 4392 wrote to memory of 4692 4392 KB00885376.exe 45 PID 4392 wrote to memory of 4692 4392 KB00885376.exe 45 PID 4392 wrote to memory of 4316 4392 KB00885376.exe 30 PID 4392 wrote to memory of 4316 4392 KB00885376.exe 30 PID 4392 wrote to memory of 4316 4392 KB00885376.exe 30
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3476
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3404
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3104
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe"C:\Users\Admin\AppData\Local\Temp\34fdf62757b385491ff69eb3cc2d541a6a15ac6fec01d34eb06abc8435bd2516_unpacked.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Users\Admin\AppData\Roaming\KB00885376.exe"C:\Users\Admin\AppData\Roaming\KB00885376.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\POS643D.tmp.BAT"3⤵PID:2896
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2920
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2872
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4316
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4692
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3820
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3568
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD51538e7d31d6b5e09035cc347bb5b331b
SHA1ff2e091fab23194374ed6af225cf61e5ce658c9c
SHA256b073bbe35bcdddbaf1b3b71b69358cacdd89fe4a6c32e7f1843a617e54811209
SHA512651eedf6a47b99c244615a6645e3959d8df902c924aea7586df35c9661f8147c9b597be83aa3ad8128de69ccb08ad375d9d97927ad6e51c984cece2c9bde620d
-
Filesize
64KB
MD5ad92cec45f06a752313a90cda5745c8f
SHA1a5b23fe8d08154e27e3d86dcec9363429cae6000
SHA25686b970f6bfcb0f742c3f24a12060ce18008f826c7651a9f3cc5a61112ef43f9a
SHA512093841b20069ab3e0aab8137104db42a2833af1b457df5c70a5e5e9bc222abd8beb0a038c0ebb8c6df01c4a4aa3e845f09f00928472d05c59ebcefde5ae00920
-
Filesize
64KB
MD5ad92cec45f06a752313a90cda5745c8f
SHA1a5b23fe8d08154e27e3d86dcec9363429cae6000
SHA25686b970f6bfcb0f742c3f24a12060ce18008f826c7651a9f3cc5a61112ef43f9a
SHA512093841b20069ab3e0aab8137104db42a2833af1b457df5c70a5e5e9bc222abd8beb0a038c0ebb8c6df01c4a4aa3e845f09f00928472d05c59ebcefde5ae00920