Analysis
-
max time kernel
157s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 04:27
Static task
static1
Behavioral task
behavioral1
Sample
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe
Resource
win10v2004-20220812-en
General
-
Target
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe
-
Size
352KB
-
MD5
b4de54b35be567dccdb82bdd68ee2e65
-
SHA1
2bd1c9fa438584b9305cd08f7b81c3b02eb9bfdc
-
SHA256
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d
-
SHA512
8d5a2128d10061572550ca3af95e04af04b3149af64306aa2044c23772651054e010ad9a3b6ffc6103bcde5c934abb00f81f74dc819292be888652f41da1124c
-
SSDEEP
6144:Ii7FhAd2I4+zdGDSkKstgehkB2bNlHRQp1SKjrU8C:nFmdH4adGDSkl9/87
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1cb07beb.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1cb07beb = "C:\\Users\\Admin\\AppData\\Roaming\\1cb07beb.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*cb07beb = "C:\\Users\\Admin\\AppData\\Roaming\\1cb07beb.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1cb07be = "C:\\1cb07beb\\1cb07beb.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*cb07be = "C:\\1cb07beb\\1cb07beb.exe" explorer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 ip-addr.es 25 ip-addr.es -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 392 4752 WerFault.exe 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe 4840 4752 WerFault.exe 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exepid process 4752 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe 4752 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exeexplorer.exepid process 4752 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe 4776 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exeexplorer.exedescription pid process target process PID 4752 wrote to memory of 4776 4752 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe explorer.exe PID 4752 wrote to memory of 4776 4752 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe explorer.exe PID 4752 wrote to memory of 4776 4752 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe explorer.exe PID 4776 wrote to memory of 4540 4776 explorer.exe svchost.exe PID 4776 wrote to memory of 4540 4776 explorer.exe svchost.exe PID 4776 wrote to memory of 4540 4776 explorer.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe"C:\Users\Admin\AppData\Local\Temp\8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 6122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 6202⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4752 -ip 47521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4752 -ip 47521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4540-136-0x0000000000000000-mapping.dmp
-
memory/4540-137-0x0000000000880000-0x00000000008A5000-memory.dmpFilesize
148KB
-
memory/4540-138-0x0000000000880000-0x00000000008A5000-memory.dmpFilesize
148KB
-
memory/4752-132-0x0000000002940000-0x0000000002F8A000-memory.dmpFilesize
6.3MB
-
memory/4752-133-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4776-134-0x0000000000000000-mapping.dmp
-
memory/4776-135-0x0000000000B50000-0x0000000000B75000-memory.dmpFilesize
148KB