Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 14:26
Static task
static1
Behavioral task
behavioral1
Sample
46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe
Resource
win10v2004-20220812-en
General
-
Target
46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe
-
Size
158KB
-
MD5
34926506fefc6f5ebace4672d93af6ba
-
SHA1
4afaa8fe82b71906acf06cb2d7e52de160df2e85
-
SHA256
46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29
-
SHA512
cd600ea51963756703a7c438c0d8c2d4adc06d5dd5d4521baea6335f8e8c5ca9c1b6f66d6c7ae0d24d7d9c841588944fadf23375555368422f50adf6527baac5
-
SSDEEP
3072:FZefcXfiFuibp8/6im+9eJAtp2Ll7JvAGk2ck:FZeEXfiLpAmAtpWMzk
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exe46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe" svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9Y2FDk3HfnK8.bmp" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exedescription pid process target process PID 1400 set thread context of 4916 1400 46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exesvchost.exepid process 1400 46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe 1400 46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe 4916 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exepid process 1400 46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
svchost.exepid process 4916 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
svchost.exepid process 4916 svchost.exe 4916 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exesvchost.exedescription pid process target process PID 1400 wrote to memory of 4916 1400 46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe svchost.exe PID 1400 wrote to memory of 4916 1400 46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe svchost.exe PID 1400 wrote to memory of 4916 1400 46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe svchost.exe PID 1400 wrote to memory of 4916 1400 46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe svchost.exe PID 1400 wrote to memory of 4916 1400 46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe svchost.exe PID 4916 wrote to memory of 2160 4916 svchost.exe cmd.exe PID 4916 wrote to memory of 2160 4916 svchost.exe cmd.exe PID 4916 wrote to memory of 2160 4916 svchost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe"C:\Users\Admin\AppData\Local\Temp\46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c for /l %i in (1, 1, 4000000000) do if not exist "C:\Users\Admin\AppData\Local\Temp\46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe" (exit) else (del /f "C:\Users\Admin\AppData\Local\Temp\46d55c0f9b4a86890ce08b736be10a8e79bccd552b7e8c3ba8ea7da17dccfb29.exe")3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1400-133-0x00000000005F0000-0x0000000000608000-memory.dmpFilesize
96KB
-
memory/1400-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1400-135-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2160-137-0x0000000000000000-mapping.dmp
-
memory/4916-132-0x0000000000000000-mapping.dmp
-
memory/4916-136-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4916-138-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4916-139-0x00000000737A0000-0x00000000737D9000-memory.dmpFilesize
228KB
-
memory/4916-140-0x00000000737A0000-0x00000000737D9000-memory.dmpFilesize
228KB