Analysis
-
max time kernel
134s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 11:36
Static task
static1
Behavioral task
behavioral1
Sample
ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe
Resource
win10v2004-20220901-en
General
-
Target
ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe
-
Size
136KB
-
MD5
8c4f39320d7c4eea6b3e072106b282bf
-
SHA1
6ae3da39b56a665c3586099cbac685067d7442b0
-
SHA256
ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c
-
SHA512
035b61fca54b05f12de676a66eedce5a9474690a6a6cff29614af94368b8505ff34446967179bd960d2b92bc5a96256f2a1d2fb41e3bdeae80a439287166b8d4
-
SSDEEP
1536:6MVDsEe+yoBaVzlhNCg6k3j5kgOXUq+rtQ/QQkAT9TmY+R6rk3qZOPf:rplyoBaVphV6AtkgOXUqaaF9Tmb6yf
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4796 taskhost.exe 792 taskhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe" ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3108 set thread context of 1604 3108 ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe 80 PID 4796 set thread context of 792 4796 taskhost.exe 84 -
Program crash 2 IoCs
pid pid_target Process procid_target 2432 3108 WerFault.exe 79 1812 4796 WerFault.exe 83 -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3108 wrote to memory of 1604 3108 ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe 80 PID 3108 wrote to memory of 1604 3108 ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe 80 PID 3108 wrote to memory of 1604 3108 ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe 80 PID 3108 wrote to memory of 1604 3108 ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe 80 PID 3108 wrote to memory of 1604 3108 ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe 80 PID 1604 wrote to memory of 4796 1604 ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe 83 PID 1604 wrote to memory of 4796 1604 ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe 83 PID 1604 wrote to memory of 4796 1604 ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe 83 PID 4796 wrote to memory of 792 4796 taskhost.exe 84 PID 4796 wrote to memory of 792 4796 taskhost.exe 84 PID 4796 wrote to memory of 792 4796 taskhost.exe 84 PID 4796 wrote to memory of 792 4796 taskhost.exe 84 PID 4796 wrote to memory of 792 4796 taskhost.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe"C:\Users\Admin\AppData\Local\Temp\ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exeC:\Users\Admin\AppData\Local\Temp\ebc511ed3c477639ee9c6d56506346044f963d6cb713b3c81341add9aa52191c.exe2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Roaming\taskhost.exeC:\Users\Admin\AppData\Roaming\taskhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Roaming\taskhost.exeC:\Users\Admin\AppData\Roaming\taskhost.exe4⤵
- Executes dropped EXE
PID:792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 2924⤵
- Program crash
PID:1812
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 3042⤵
- Program crash
PID:2432
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3108 -ip 31081⤵PID:4844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4796 -ip 47961⤵PID:1524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5685c988850fc65706157bded578b507e
SHA18f1a6e53de157915cc30732c96c213589713d0ed
SHA256c77feefdfc67f4a0488ef58b774e2d8814d5bdfa8c215e82b8991807d712c90c
SHA512ed8bb993a5788eb545bf6cb99981bed3739885f16e95495784d066cb59273012a1aaef072516084290aedbd4c4dc77d86803fd7d68c8dbacc98f308fc0a7292e
-
Filesize
136KB
MD5685c988850fc65706157bded578b507e
SHA18f1a6e53de157915cc30732c96c213589713d0ed
SHA256c77feefdfc67f4a0488ef58b774e2d8814d5bdfa8c215e82b8991807d712c90c
SHA512ed8bb993a5788eb545bf6cb99981bed3739885f16e95495784d066cb59273012a1aaef072516084290aedbd4c4dc77d86803fd7d68c8dbacc98f308fc0a7292e
-
Filesize
136KB
MD5685c988850fc65706157bded578b507e
SHA18f1a6e53de157915cc30732c96c213589713d0ed
SHA256c77feefdfc67f4a0488ef58b774e2d8814d5bdfa8c215e82b8991807d712c90c
SHA512ed8bb993a5788eb545bf6cb99981bed3739885f16e95495784d066cb59273012a1aaef072516084290aedbd4c4dc77d86803fd7d68c8dbacc98f308fc0a7292e