Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 20:33
Behavioral task
behavioral1
Sample
4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe
Resource
win7-20221111-en
General
-
Target
4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe
-
Size
10.9MB
-
MD5
301911b0adeaed9fbd662d1e394f7f5f
-
SHA1
ec5bb587917ea601f804899536a2c0b59531d9be
-
SHA256
4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb
-
SHA512
1db09c51cc8664c0ae51e220b1bee7fb157d95bf2b6b64d1e95854d155991426a4206b20632448f606f0e4513319b9207014a560a94ee288d16bb54999a8c7fb
-
SSDEEP
196608:hqFOkolbnEdwOyfqRH2bZJhVWzpJofBNGwkgt2p9qm1:uyodwOVE/h0zpiA7yhm1
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
Processes:
4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts.ics 4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe File opened for modification C:\Windows\system32\drivers\etc\hosts.ics 4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe -
Processes:
resource yara_rule behavioral2/memory/1564-135-0x00000000031E0000-0x0000000003252000-memory.dmp upx behavioral2/memory/1564-136-0x00000000031E0000-0x0000000003252000-memory.dmp upx -
Processes:
resource yara_rule behavioral2/memory/1564-132-0x0000000000400000-0x0000000000F40000-memory.dmp vmprotect behavioral2/memory/1564-133-0x0000000000400000-0x0000000000F40000-memory.dmp vmprotect behavioral2/memory/1564-134-0x0000000000400000-0x0000000000F40000-memory.dmp vmprotect -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{78C403B1-4FE8-4CEA-9809-08B2AAD1CCF1}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{035D7BB5-2724-4666-A2F9-0E1589491751}.catalogItem svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exepid process 1564 4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exepid process 1564 4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe 1564 4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exepid process 1564 4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe 1564 4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe"C:\Users\Admin\AppData\Local\Temp\4ed65df9e3744ed07c63836e0c76c4adf9d8858f3f2132270c967cd6785cfebb.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1564
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1564-132-0x0000000000400000-0x0000000000F40000-memory.dmpFilesize
11.2MB
-
memory/1564-133-0x0000000000400000-0x0000000000F40000-memory.dmpFilesize
11.2MB
-
memory/1564-134-0x0000000000400000-0x0000000000F40000-memory.dmpFilesize
11.2MB
-
memory/1564-135-0x00000000031E0000-0x0000000003252000-memory.dmpFilesize
456KB
-
memory/1564-136-0x00000000031E0000-0x0000000003252000-memory.dmpFilesize
456KB