Analysis
-
max time kernel
174s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 09:30
Behavioral task
behavioral1
Sample
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe
Resource
win10v2004-20221111-en
General
-
Target
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe
-
Size
4.1MB
-
MD5
dbbb4cfc6d9cd1356d53c122cb97fd97
-
SHA1
5ce4ef9531612019dbf309436c8c55d290323fe6
-
SHA256
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995
-
SHA512
8b147e79651f517d66be6e31b09bca95571ee69da5ba1f6639a08a66419ba5d50ab02051fadb7858b39cb68acd4d28029ef7c3ec48ce05da52718f1efbbf7580
-
SSDEEP
98304:wdBaZn29qwS9m51SXt1T8GTH8gS4TyF0ES5:kgY9AwKtV8GTcgHGF0
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3364 created 1420 3364 svchost.exe 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe -
Executes dropped EXE 1 IoCs
Processes:
Pemhkdcxvgmi.exepid process 3400 Pemhkdcxvgmi.exe -
Processes:
resource yara_rule behavioral2/memory/1420-132-0x0000000000400000-0x0000000000C57000-memory.dmp vmprotect behavioral2/memory/1420-133-0x0000000000400000-0x0000000000C57000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\Pemhkdcxvgmi.exe vmprotect C:\Users\Admin\AppData\Local\Temp\Pemhkdcxvgmi.exe vmprotect behavioral2/memory/3400-137-0x0000000000400000-0x0000000000DC7000-memory.dmp vmprotect behavioral2/memory/1420-138-0x0000000000400000-0x0000000000C57000-memory.dmp vmprotect behavioral2/memory/3400-139-0x0000000000400000-0x0000000000DC7000-memory.dmp vmprotect -
Drops file in System32 directory 11 IoCs
Processes:
Pemhkdcxvgmi.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content Pemhkdcxvgmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E7EC0C85688F4738F3BE49B104BA67 Pemhkdcxvgmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_2F4F3507C6BA2561814680240A0BCD85 Pemhkdcxvgmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache Pemhkdcxvgmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E7EC0C85688F4738F3BE49B104BA67 Pemhkdcxvgmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies Pemhkdcxvgmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft Pemhkdcxvgmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData Pemhkdcxvgmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_2F4F3507C6BA2561814680240A0BCD85 Pemhkdcxvgmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 Pemhkdcxvgmi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE Pemhkdcxvgmi.exe -
Drops file in Windows directory 2 IoCs
Processes:
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exePemhkdcxvgmi.exedescription ioc process File opened for modification C:\Windows\Sy.ini 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe File opened for modification C:\Windows\Sy.ini Pemhkdcxvgmi.exe -
Processes:
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
Pemhkdcxvgmi.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Pemhkdcxvgmi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Pemhkdcxvgmi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Pemhkdcxvgmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Pemhkdcxvgmi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Pemhkdcxvgmi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Pemhkdcxvgmi.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exePemhkdcxvgmi.exepid process 1420 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe 1420 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe 1420 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe 1420 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe 3400 Pemhkdcxvgmi.exe 3400 Pemhkdcxvgmi.exe 3400 Pemhkdcxvgmi.exe 3400 Pemhkdcxvgmi.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exesvchost.exedescription pid process Token: SeDebugPrivilege 1420 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe Token: SeTcbPrivilege 3364 svchost.exe Token: SeTcbPrivilege 3364 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exePemhkdcxvgmi.exepid process 1420 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe 1420 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe 3400 Pemhkdcxvgmi.exe 3400 Pemhkdcxvgmi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
svchost.exedescription pid process target process PID 3364 wrote to memory of 3400 3364 svchost.exe Pemhkdcxvgmi.exe PID 3364 wrote to memory of 3400 3364 svchost.exe Pemhkdcxvgmi.exe PID 3364 wrote to memory of 3400 3364 svchost.exe Pemhkdcxvgmi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe"C:\Users\Admin\AppData\Local\Temp\7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Pemhkdcxvgmi.exe"C:\Users\Admin\AppData\Local\Temp\Pemhkdcxvgmi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Pemhkdcxvgmi.exeFilesize
2.8MB
MD583bfee62a205080de8355e4601dc463f
SHA170e60ba0644266ef8937181120d8a16428081bb2
SHA25675d5cb1a618b997d3fc5e2030df44b596847d2cee1cb4fe055400197feff64d3
SHA512555ca560983ef29b27fa5c240f0da1ae9d04969297ea1833c753ec1c0e65875e6ff67c4dfca193d962e3c80148a5c2d837d0b78d611b0e3f59950ac0a9f9f3e8
-
C:\Users\Admin\AppData\Local\Temp\Pemhkdcxvgmi.exeFilesize
2.8MB
MD583bfee62a205080de8355e4601dc463f
SHA170e60ba0644266ef8937181120d8a16428081bb2
SHA25675d5cb1a618b997d3fc5e2030df44b596847d2cee1cb4fe055400197feff64d3
SHA512555ca560983ef29b27fa5c240f0da1ae9d04969297ea1833c753ec1c0e65875e6ff67c4dfca193d962e3c80148a5c2d837d0b78d611b0e3f59950ac0a9f9f3e8
-
C:\Windows\Sy.iniFilesize
169B
MD59b96634bcea19a9a554e8fd35510f92d
SHA1d6f3d6cda170f439ba7b6b2f798d50ac9373d07f
SHA256710c32e33dfcb77e8e39701ddefa1619a4c892b92b7a0ff1c2b88bb115ea98b9
SHA512ba655b4673b34b7b79ed112a2f21263a351195f2b55e7c857df88f1f550b90ea73ff1b000e133bf2b65447e54a3d051efa92b53177f10e1f72746e7b85b1c076
-
memory/1420-132-0x0000000000400000-0x0000000000C57000-memory.dmpFilesize
8.3MB
-
memory/1420-133-0x0000000000400000-0x0000000000C57000-memory.dmpFilesize
8.3MB
-
memory/1420-138-0x0000000000400000-0x0000000000C57000-memory.dmpFilesize
8.3MB
-
memory/3400-134-0x0000000000000000-mapping.dmp
-
memory/3400-137-0x0000000000400000-0x0000000000DC7000-memory.dmpFilesize
9.8MB
-
memory/3400-139-0x0000000000400000-0x0000000000DC7000-memory.dmpFilesize
9.8MB