5fe4e659c4bd91aec2a126c8f74b01b37d6ffc6701657c93d193decfe19834d0

Analysis

max time kernel
193s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

report-order-tracking-genereted-auto-gls.exe
Size

248KB
MD5

d8704f06cb0813c2cbb543b95fda51ce
SHA1

987886e485ecf443002159065411e42cb0dfc264
SHA256

39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40
SHA512

473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8
SSDEEP

3072:nhFldQnaongiDIhFxbQO48QmcjVDLAAbwwNL768P2NU+dNWz+78/H6OUdDGBLgvC:NbQFZ1ZnzFFPyc+A/etYXg0kZO0Cm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1348	vhwmdff.exe
2840	vhwmdff.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2552	2700	report-order-tracking-genereted-auto-gls.exe	82
PID 1348 set thread context of 2840	1348	vhwmdff.exe	85

Modifies registry class 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133139819072110479"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133139818191798832"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133139819070861786"	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2552	report-order-tracking-genereted-auto-gls.exe
2552	report-order-tracking-genereted-auto-gls.exe
2840	vhwmdff.exe
2840	vhwmdff.exe
2840	vhwmdff.exe
2840	vhwmdff.exe
2840	vhwmdff.exe
2840	vhwmdff.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	vhwmdff.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2700	report-order-tracking-genereted-auto-gls.exe
1348	vhwmdff.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2552	2700	report-order-tracking-genereted-auto-gls.exe	82
PID 2700 wrote to memory of 2552	2700	report-order-tracking-genereted-auto-gls.exe	82
PID 2700 wrote to memory of 2552	2700	report-order-tracking-genereted-auto-gls.exe	82
PID 2700 wrote to memory of 2552	2700	report-order-tracking-genereted-auto-gls.exe	82
PID 2700 wrote to memory of 2552	2700	report-order-tracking-genereted-auto-gls.exe	82
PID 2700 wrote to memory of 2552	2700	report-order-tracking-genereted-auto-gls.exe	82
PID 1348 wrote to memory of 2840	1348	vhwmdff.exe	85
PID 1348 wrote to memory of 2840	1348	vhwmdff.exe	85
PID 1348 wrote to memory of 2840	1348	vhwmdff.exe	85
PID 1348 wrote to memory of 2840	1348	vhwmdff.exe	85
PID 1348 wrote to memory of 2840	1348	vhwmdff.exe	85
PID 1348 wrote to memory of 2840	1348	vhwmdff.exe	85
PID 2840 wrote to memory of 772	2840	vhwmdff.exe	8
PID 772 wrote to memory of 1572	772	svchost.exe	86
PID 772 wrote to memory of 1572	772	svchost.exe	86
PID 772 wrote to memory of 1572	772	svchost.exe	86
PID 772 wrote to memory of 2540	772	svchost.exe	87
PID 772 wrote to memory of 2540	772	svchost.exe	87
PID 772 wrote to memory of 3464	772	svchost.exe	88
PID 772 wrote to memory of 3464	772	svchost.exe	88

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1572
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2540
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:3464

C:\Users\Admin\AppData\Local\Temp\report-order-tracking-genereted-auto-gls.exe
"C:\Users\Admin\AppData\Local\Temp\report-order-tracking-genereted-auto-gls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\report-order-tracking-genereted-auto-gls.exe
  "C:\Users\Admin\AppData\Local\Temp\report-order-tracking-genereted-auto-gls.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2552

C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
  "C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SoftwareDistribution\nxzrgth

Filesize
654B

MD5
90a42a44d660e37f65e9eb939e46642c

SHA1
fc76a4c16f406276ca94a6018b7d9f2e2b0ba3ea

SHA256
6a90d760f3acd0ad6d936b659ac37b767a72b60267ad293df38e3e2f22ced94f

SHA512
ef370e442ef38f5a79127e34ac45ab08ddcf32f2fa909cc94ecdd92a93119ae594f5668f576b25c18a9fe658d1fec5532e80fadec7abc5e33bc38fbd8235a0d7

Download Submit
C:\ProgramData\SoftwareDistribution\nxzrgth

Filesize
654B

MD5
90a42a44d660e37f65e9eb939e46642c

SHA1
fc76a4c16f406276ca94a6018b7d9f2e2b0ba3ea

SHA256
6a90d760f3acd0ad6d936b659ac37b767a72b60267ad293df38e3e2f22ced94f

SHA512
ef370e442ef38f5a79127e34ac45ab08ddcf32f2fa909cc94ecdd92a93119ae594f5668f576b25c18a9fe658d1fec5532e80fadec7abc5e33bc38fbd8235a0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe

Filesize
248KB

MD5
d8704f06cb0813c2cbb543b95fda51ce

SHA1
987886e485ecf443002159065411e42cb0dfc264

SHA256
39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

SHA512
473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe

Filesize
248KB

MD5
d8704f06cb0813c2cbb543b95fda51ce

SHA1
987886e485ecf443002159065411e42cb0dfc264

SHA256
39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

SHA512
473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe

Filesize
248KB

MD5
d8704f06cb0813c2cbb543b95fda51ce

SHA1
987886e485ecf443002159065411e42cb0dfc264

SHA256
39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

SHA512
473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

Download Submit
memory/772-150-0x0000000031AE0000-0x0000000031B57000-memory.dmp

Filesize
476KB

Download
memory/2552-139-0x0000000000400000-0x0000000000426E00-memory.dmp

Filesize
155KB

Download
memory/2552-138-0x00000000007C0000-0x00000000008F3000-memory.dmp

Filesize
1.2MB

Download
memory/2552-137-0x00000000006B0000-0x00000000007B2000-memory.dmp

Filesize
1.0MB

Download
memory/2552-135-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2840-149-0x0000000000740000-0x0000000000873000-memory.dmp

Filesize
1.2MB

Download