Analysis
-
max time kernel
189s -
max time network
214s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:30
Static task
static1
Behavioral task
behavioral1
Sample
bd7180051e4b2f523be9e231fe90e6360629e882c8b473456ab41439cf666a88.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bd7180051e4b2f523be9e231fe90e6360629e882c8b473456ab41439cf666a88.exe
Resource
win10v2004-20220812-en
General
-
Target
bd7180051e4b2f523be9e231fe90e6360629e882c8b473456ab41439cf666a88.exe
-
Size
98KB
-
MD5
878f216f41c7c5d7ed5d6785a1fa6be9
-
SHA1
5f2b9a1e1c309e628ed3404ccfe0189a4b131762
-
SHA256
bd7180051e4b2f523be9e231fe90e6360629e882c8b473456ab41439cf666a88
-
SHA512
fcc24a63fb4dfc16995036898c3d9798b3d82702bc8a1334b1391fe958a2536adf5a67cd65617c176ba19e1f578feaca7b53fad90ce65f703ce8aa3d4597c648
-
SSDEEP
3072:wbby87RL8RTb/0vdCfvPeTXf3qDqGgn3VH5tQ9:8287RLj1pTXJxb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
service.exepid process 5052 service.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\perflog\\service.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\perflog\\service.exe" reg.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4604 5052 WerFault.exe service.exe 324 5052 WerFault.exe service.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
bd7180051e4b2f523be9e231fe90e6360629e882c8b473456ab41439cf666a88.exeservice.execmd.execmd.exedescription pid process target process PID 4280 wrote to memory of 5052 4280 bd7180051e4b2f523be9e231fe90e6360629e882c8b473456ab41439cf666a88.exe service.exe PID 4280 wrote to memory of 5052 4280 bd7180051e4b2f523be9e231fe90e6360629e882c8b473456ab41439cf666a88.exe service.exe PID 4280 wrote to memory of 5052 4280 bd7180051e4b2f523be9e231fe90e6360629e882c8b473456ab41439cf666a88.exe service.exe PID 5052 wrote to memory of 5012 5052 service.exe cmd.exe PID 5052 wrote to memory of 5012 5052 service.exe cmd.exe PID 5052 wrote to memory of 5012 5052 service.exe cmd.exe PID 5012 wrote to memory of 4448 5012 cmd.exe reg.exe PID 5012 wrote to memory of 4448 5012 cmd.exe reg.exe PID 5012 wrote to memory of 4448 5012 cmd.exe reg.exe PID 5052 wrote to memory of 636 5052 service.exe cmd.exe PID 5052 wrote to memory of 636 5052 service.exe cmd.exe PID 5052 wrote to memory of 636 5052 service.exe cmd.exe PID 636 wrote to memory of 3600 636 cmd.exe reg.exe PID 636 wrote to memory of 3600 636 cmd.exe reg.exe PID 636 wrote to memory of 3600 636 cmd.exe reg.exe PID 5052 wrote to memory of 324 5052 service.exe WerFault.exe PID 5052 wrote to memory of 324 5052 service.exe WerFault.exe PID 5052 wrote to memory of 324 5052 service.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd7180051e4b2f523be9e231fe90e6360629e882c8b473456ab41439cf666a88.exe"C:\Users\Admin\AppData\Local\Temp\bd7180051e4b2f523be9e231fe90e6360629e882c8b473456ab41439cf666a88.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\perflog\service.exeC:\Users\Admin\AppData\Local\Temp\perflog\service.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\cmd.execmd /c "REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AutoUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\perflog\service.exe /f"3⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AutoUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\perflog\service.exe /f4⤵
- Adds Run key to start application
- Modifies registry key
PID:4448 -
C:\Windows\SysWOW64\cmd.execmd /c "REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AutoUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\perflog\service.exe /f"3⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AutoUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\perflog\service.exe /f4⤵
- Adds Run key to start application
- Modifies registry key
PID:3600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 12443⤵
- Program crash
PID:4604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 12443⤵
- Program crash
PID:324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5052 -ip 50521⤵PID:4364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\perflog\service.exeFilesize
98KB
MD5878f216f41c7c5d7ed5d6785a1fa6be9
SHA15f2b9a1e1c309e628ed3404ccfe0189a4b131762
SHA256bd7180051e4b2f523be9e231fe90e6360629e882c8b473456ab41439cf666a88
SHA512fcc24a63fb4dfc16995036898c3d9798b3d82702bc8a1334b1391fe958a2536adf5a67cd65617c176ba19e1f578feaca7b53fad90ce65f703ce8aa3d4597c648
-
C:\Users\Admin\AppData\Local\Temp\perflog\service.exeFilesize
98KB
MD5878f216f41c7c5d7ed5d6785a1fa6be9
SHA15f2b9a1e1c309e628ed3404ccfe0189a4b131762
SHA256bd7180051e4b2f523be9e231fe90e6360629e882c8b473456ab41439cf666a88
SHA512fcc24a63fb4dfc16995036898c3d9798b3d82702bc8a1334b1391fe958a2536adf5a67cd65617c176ba19e1f578feaca7b53fad90ce65f703ce8aa3d4597c648
-
memory/324-139-0x0000000000000000-mapping.dmp
-
memory/636-137-0x0000000000000000-mapping.dmp
-
memory/3600-138-0x0000000000000000-mapping.dmp
-
memory/4448-136-0x0000000000000000-mapping.dmp
-
memory/5012-135-0x0000000000000000-mapping.dmp
-
memory/5052-132-0x0000000000000000-mapping.dmp