Analysis
-
max time kernel
132s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 12:05
Static task
static1
Behavioral task
behavioral1
Sample
85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe
Resource
win10v2004-20220812-en
General
-
Target
85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe
-
Size
522KB
-
MD5
d7f6bcbf3b6fd77a379fd6bacd4db6b1
-
SHA1
524cd317bf9cadc4172da5de381d3dac34c83e62
-
SHA256
85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a
-
SHA512
adf6899a77696a53845504c88ce8c85eebf576d0be3e889fdc5e519dc922acee560764a424c132610f31aece01c354a63f274f01b9ac1e93951ff07f1cfa3b71
-
SSDEEP
6144:TkIAsljmJ/TfSCrHkgFnHCKgfXqDbQCsmQy1CrxQqD9RSaSz+8O5H+34e:WNraBgVHCh6XQCoy18xQqpx8O5H+
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{74C8C504-1024-42EA-BF54-CA4D45161BDD}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{403B106B-5227-4345-A3B6-417E5E182956}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exedescription pid process target process PID 2228 wrote to memory of 3264 2228 85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe 85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe PID 2228 wrote to memory of 3264 2228 85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe 85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe PID 2228 wrote to memory of 3264 2228 85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe 85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe PID 2228 wrote to memory of 2476 2228 85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe 85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe PID 2228 wrote to memory of 2476 2228 85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe 85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe PID 2228 wrote to memory of 2476 2228 85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe 85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe"C:\Users\Admin\AppData\Local\Temp\85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exestart2⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\85fad34fac17c058fc85634a8ed07f3942b6ad9d73676d581d8f8584173f775a.exewatch2⤵PID:2476
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2228-132-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2228-135-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2476-133-0x0000000000000000-mapping.dmp
-
memory/2476-136-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2476-138-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2476-141-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/3264-134-0x0000000000000000-mapping.dmp
-
memory/3264-137-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/3264-139-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/3264-140-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB