Analysis
-
max time kernel
182s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 15:04
Static task
static1
Behavioral task
behavioral1
Sample
22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe
Resource
win10v2004-20220812-en
General
-
Target
22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe
-
Size
261KB
-
MD5
3bb35ccb6bd85fee083abc2c3f67a306
-
SHA1
cf441832bf08474040a687e86807d2c966cf56c6
-
SHA256
22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8
-
SHA512
d864daac805a2ea631c77bac45bbaf7bd08d1a9565e99c426f6f15f444489cd01331d0f127807f7977f6f4dba0cf0a71b57b596109ca9836b216b7d4bca9a2db
-
SSDEEP
6144:d9wAfXp+1RrZmnq4eiiRtYhjgBlIbqDzt:/wj8DjyYhjgvIWnt
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 2 IoCs
Processes:
notepad.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wattvwvqn.exe notepad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wattvwvqn.exe\DisableExceptionChainValidation notepad.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
notepad.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus notepad.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\ProgramData\yauhsgjabvdbja\desktop.ini notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exedescription pid process target process PID 868 set thread context of 4880 868 22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe notepad.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 212 920 WerFault.exe svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
notepad.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString notepad.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 notepad.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 notepad.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 notepad.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 6 IoCs
Processes:
notepad.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID notepad.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{2738D71C-F97B-9049-B499-90DC1810C331} notepad.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{2738D71C-F97B-9049-B499-90DC1810C331}\665407E0 notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{2738D71C-F97B-9049-B499-90DC1810C331}\665407E0\CG1\HAL = 05ee0000 notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{2738D71C-F97B-9049-B499-90DC1810C331}\665407E0\CG1\BID = 200008001d000b00e6070000140000001d0016002b002900000000001d8b8663 notepad.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{2738D71C-F97B-9049-B499-90DC1810C331}\665407E0\CG1 notepad.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
notepad.exepid process 4880 notepad.exe 4880 notepad.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
notepad.exedescription pid process Token: SeRestorePrivilege 4880 notepad.exe Token: SeBackupPrivilege 4880 notepad.exe Token: SeDebugPrivilege 4880 notepad.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exenotepad.exedescription pid process target process PID 868 wrote to memory of 4880 868 22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe notepad.exe PID 868 wrote to memory of 4880 868 22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe notepad.exe PID 868 wrote to memory of 4880 868 22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe notepad.exe PID 868 wrote to memory of 4880 868 22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe notepad.exe PID 868 wrote to memory of 4880 868 22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe notepad.exe PID 868 wrote to memory of 4880 868 22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe notepad.exe PID 868 wrote to memory of 4880 868 22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe notepad.exe PID 868 wrote to memory of 4880 868 22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe notepad.exe PID 868 wrote to memory of 4880 868 22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe notepad.exe PID 4880 wrote to memory of 2720 4880 notepad.exe schtasks.exe PID 4880 wrote to memory of 2720 4880 notepad.exe schtasks.exe PID 4880 wrote to memory of 2720 4880 notepad.exe schtasks.exe PID 4880 wrote to memory of 920 4880 notepad.exe svchost.exe PID 4880 wrote to memory of 920 4880 notepad.exe svchost.exe PID 4880 wrote to memory of 920 4880 notepad.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe"C:\Users\Admin\AppData\Local\Temp\22170077277aa8d7f3fe0e30bcb187cfa7dcda0d018d6cabf1bde17d24fadda8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Sets file execution options in registry
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x665407E0" /TR "C:\ProgramData\yauhsgjabvdbja\wattvwvqn.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\svchost.exe-k NetworkService3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 920 -ip 9201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/868-132-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/868-133-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/868-139-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/920-147-0x0000000077DC0000-0x0000000077F63000-memory.dmpFilesize
1.6MB
-
memory/920-146-0x0000000000000000-mapping.dmp
-
memory/2720-145-0x0000000000000000-mapping.dmp
-
memory/4880-140-0x0000000000B10000-0x0000000000B5B000-memory.dmpFilesize
300KB
-
memory/4880-141-0x0000000000B10000-0x0000000000B5B000-memory.dmpFilesize
300KB
-
memory/4880-142-0x0000000002910000-0x000000000291B000-memory.dmpFilesize
44KB
-
memory/4880-143-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4880-144-0x0000000000B10000-0x0000000000B5B000-memory.dmpFilesize
300KB
-
memory/4880-137-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4880-135-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4880-134-0x0000000000000000-mapping.dmp