Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:01
Static task
static1
Behavioral task
behavioral1
Sample
d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe
Resource
win10v2004-20220812-en
General
-
Target
d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe
-
Size
52KB
-
MD5
8b71cd888da67ae3eeae97480a29d2e9
-
SHA1
93a5c1e83b8a02ebc1f2f146e1e7716a78be310e
-
SHA256
d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce
-
SHA512
ea4cdb9ece8e1f3244b24ae63dac3fdcf93583e86d4e6c15d0634f0ac772e4f018f2587cd8782d11b9d6fa91fb03f2cafeb6ae5e012b8c52bd93734dd098162e
-
SSDEEP
768:aHyEBK+o6yMPqgRDMa6RwTdQXQ/6m/4Jk8gqCfFC:aHL1Rt20BCJkkUF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchobst.exepid process 4764 svchobst.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchobst.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\svchobst.exe" svchobst.exe -
Drops file in Windows directory 2 IoCs
Processes:
d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exedescription ioc process File created C:\Windows\svchobst.exe d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe File opened for modification C:\Windows\svchobst.exe d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchobst.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchobst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchobst.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{70FCF6E1-6B20-11ED-89AC-5A10AEE59B4B} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1171534604" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998317" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375967253" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998317" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1180284114" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1171534604" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998317" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 3988 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exedescription pid process Token: SeIncBasePriorityPrivilege 5000 d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 3988 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 3988 iexplore.exe 3988 iexplore.exe 980 IEXPLORE.EXE 980 IEXPLORE.EXE 980 IEXPLORE.EXE 980 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exesvchobst.exeiexplore.exedescription pid process target process PID 5000 wrote to memory of 4764 5000 d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe svchobst.exe PID 5000 wrote to memory of 4764 5000 d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe svchobst.exe PID 5000 wrote to memory of 4764 5000 d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe svchobst.exe PID 5000 wrote to memory of 440 5000 d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe cmd.exe PID 5000 wrote to memory of 440 5000 d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe cmd.exe PID 5000 wrote to memory of 440 5000 d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe cmd.exe PID 4764 wrote to memory of 3988 4764 svchobst.exe iexplore.exe PID 4764 wrote to memory of 3988 4764 svchobst.exe iexplore.exe PID 3988 wrote to memory of 980 3988 iexplore.exe IEXPLORE.EXE PID 3988 wrote to memory of 980 3988 iexplore.exe IEXPLORE.EXE PID 3988 wrote to memory of 980 3988 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe"C:\Users\Admin\AppData\Local\Temp\d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchobst.exe"C:\Windows\svchobst.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" £¾½¸ýéê ±ï¡Þ×Ô’ÏÌ–Ò˜ÝÀÞÞ±°¯®¬«ª©¨§¦¥¤£¢¡ Ÿžœ›š™˜—–•”“’‘ŽŒ‹Š‰ˆ‡†…„ƒ‚€~}|{zyxwvutsrqponmlkjihgfedcba`_^3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3988 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D54797~1.EXE > nul2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5e32d02ce684c01ef3af05fae9066160e
SHA129c7a6e8ed553ac2765634265d1db041d6d422ec
SHA256b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71
SHA512e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD5f03c405b4000f830a6b31c529b02b29d
SHA1887dd52e4b07d0ea6958324a17b1f41148a0443e
SHA256d5ae1678609f155dbda4918d513f82439a84a658a3ed1a49832b660d008b27af
SHA51286a2412249e1c138ff6e6046a4d942fccced0cb84b83cb71e97d839c78328ab6058a5958fc499e86782b306e4a49d7a5031cebfc96bb859eeefdab94f687474a
-
C:\Windows\svchobst.exeFilesize
52KB
MD58b71cd888da67ae3eeae97480a29d2e9
SHA193a5c1e83b8a02ebc1f2f146e1e7716a78be310e
SHA256d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce
SHA512ea4cdb9ece8e1f3244b24ae63dac3fdcf93583e86d4e6c15d0634f0ac772e4f018f2587cd8782d11b9d6fa91fb03f2cafeb6ae5e012b8c52bd93734dd098162e
-
C:\Windows\svchobst.exeFilesize
52KB
MD58b71cd888da67ae3eeae97480a29d2e9
SHA193a5c1e83b8a02ebc1f2f146e1e7716a78be310e
SHA256d547974a82beeb6e0020d968fbe484a83a8aa5fc3ca6d452c8cd1315a78c37ce
SHA512ea4cdb9ece8e1f3244b24ae63dac3fdcf93583e86d4e6c15d0634f0ac772e4f018f2587cd8782d11b9d6fa91fb03f2cafeb6ae5e012b8c52bd93734dd098162e
-
memory/440-134-0x0000000000000000-mapping.dmp
-
memory/4764-132-0x0000000000000000-mapping.dmp