Analysis
-
max time kernel
175s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 12:08
Static task
static1
Behavioral task
behavioral1
Sample
815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe
Resource
win10v2004-20220812-en
General
-
Target
815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe
-
Size
184KB
-
MD5
8d65c6f7d838d6982e4bd4aa95b61fcb
-
SHA1
269b82089574b05c8e6e87e6bf913e47976e62d0
-
SHA256
815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650
-
SHA512
c25a92a716303e33c405302a52f619065acb1881efeaeaa621c88e4b47122d8b307385766cc0608dc3a3744c4e15d4af6806b16c7f9372358613047db5ef5b40
-
SSDEEP
3072:JxUHhqoy+93APiDIZJhyirBBK/7Xf8umddy4QvZm3pTF9YvfcTnXAM:Jx5u3mFrBc/7Xf8umdUwZTLYCXL
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4872-133-0x0000000000400000-0x0000000000429000-memory.dmp cryptone behavioral2/memory/4832-139-0x0000000000D70000-0x0000000000D99000-memory.dmp cryptone behavioral2/memory/4832-140-0x0000000000D70000-0x0000000000D99000-memory.dmp cryptone behavioral2/memory/4832-141-0x0000000000D70000-0x0000000000D99000-memory.dmp cryptone behavioral2/memory/4872-145-0x0000000000400000-0x0000000000429000-memory.dmp cryptone behavioral2/memory/4244-147-0x0000000000C70000-0x0000000000C99000-memory.dmp cryptone -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mspaint.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ykrvrt = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Ykrvrt.exe" mspaint.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe System Incorporated = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\Reader_sl.exe" svchost.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exemspaint.exedescription ioc process File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\D: mspaint.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\N: svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exedescription pid process target process PID 312 set thread context of 4872 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 4872 set thread context of 3272 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exesvchost.exe815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exepid process 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 4244 svchost.exe 4244 svchost.exe 3272 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 3272 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 3272 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exepid process 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exesvchost.execalc.exemspaint.exedescription pid process Token: SeDebugPrivilege 3272 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe Token: SeDebugPrivilege 4244 svchost.exe Token: SeDebugPrivilege 4852 calc.exe Token: SeDebugPrivilege 4832 mspaint.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exesvchost.exe815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exedescription pid process target process PID 312 wrote to memory of 4872 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 312 wrote to memory of 4872 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 312 wrote to memory of 4872 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 312 wrote to memory of 4872 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 312 wrote to memory of 4872 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 312 wrote to memory of 4872 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 312 wrote to memory of 4872 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 312 wrote to memory of 4872 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 312 wrote to memory of 4872 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 312 wrote to memory of 4872 312 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 4872 wrote to memory of 4244 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe svchost.exe PID 4872 wrote to memory of 4244 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe svchost.exe PID 4872 wrote to memory of 4244 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe svchost.exe PID 4872 wrote to memory of 4244 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe svchost.exe PID 4872 wrote to memory of 4852 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe calc.exe PID 4872 wrote to memory of 4852 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe calc.exe PID 4872 wrote to memory of 4852 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe calc.exe PID 4872 wrote to memory of 4852 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe calc.exe PID 4872 wrote to memory of 4852 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe calc.exe PID 4244 wrote to memory of 4832 4244 svchost.exe mspaint.exe PID 4244 wrote to memory of 4832 4244 svchost.exe mspaint.exe PID 4244 wrote to memory of 4832 4244 svchost.exe mspaint.exe PID 4244 wrote to memory of 4832 4244 svchost.exe mspaint.exe PID 4872 wrote to memory of 3272 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 4872 wrote to memory of 3272 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 4872 wrote to memory of 3272 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 4872 wrote to memory of 3272 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 4872 wrote to memory of 3272 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 4872 wrote to memory of 3272 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 4872 wrote to memory of 3272 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 4872 wrote to memory of 3272 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 4872 wrote to memory of 3272 4872 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe PID 3272 wrote to memory of 4244 3272 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe svchost.exe PID 3272 wrote to memory of 4244 3272 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe svchost.exe PID 3272 wrote to memory of 4852 3272 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe calc.exe PID 3272 wrote to memory of 4852 3272 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe calc.exe PID 3272 wrote to memory of 4832 3272 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe mspaint.exe PID 3272 wrote to memory of 4832 3272 815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe mspaint.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe"C:\Users\Admin\AppData\Local\Temp\815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe"C:\Users\Admin\AppData\Local\Temp\815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"3⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\SysWOW64\mspaint.exe"4⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\SysWOW64\calc.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe"C:\Users\Admin\AppData\Local\Temp\815034ff8c9402429919a3cfb8fcee61fd1c9d845421ec271140e90d8038b650.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/312-135-0x0000000004D10000-0x0000000004D2A000-memory.dmpFilesize
104KB
-
memory/3272-144-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/3272-151-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/3272-150-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/3272-149-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/3272-143-0x0000000000000000-mapping.dmp
-
memory/4244-152-0x0000000000CB0000-0x0000000000CFE000-memory.dmpFilesize
312KB
-
memory/4244-136-0x0000000000000000-mapping.dmp
-
memory/4244-147-0x0000000000C70000-0x0000000000C99000-memory.dmpFilesize
164KB
-
memory/4832-138-0x0000000000000000-mapping.dmp
-
memory/4832-142-0x0000000000D70000-0x0000000000D99000-memory.dmpFilesize
164KB
-
memory/4832-141-0x0000000000D70000-0x0000000000D99000-memory.dmpFilesize
164KB
-
memory/4832-140-0x0000000000D70000-0x0000000000D99000-memory.dmpFilesize
164KB
-
memory/4832-139-0x0000000000D70000-0x0000000000D99000-memory.dmpFilesize
164KB
-
memory/4832-148-0x0000000000D70000-0x0000000000D99000-memory.dmpFilesize
164KB
-
memory/4832-154-0x0000000002C00000-0x0000000002C4E000-memory.dmpFilesize
312KB
-
memory/4832-155-0x0000000002C00000-0x0000000002C4E000-memory.dmpFilesize
312KB
-
memory/4852-137-0x0000000000000000-mapping.dmp
-
memory/4852-153-0x0000000000870000-0x00000000008BE000-memory.dmpFilesize
312KB
-
memory/4872-145-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4872-132-0x0000000000000000-mapping.dmp
-
memory/4872-133-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB