Analysis

  • max time kernel
    163s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 12:36 UTC

General

  • Target

    8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe

  • Size

    167KB

  • MD5

    dfc2b699a1a034febcfcbb7a0896f378

  • SHA1

    e7ac60c3078dbf09927898be9c9b9168fdc6a9cf

  • SHA256

    8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48

  • SHA512

    90204c42ea3fe8f1a6cf894c92bf3697e30aa790a9241c6bf64b75c23f61cda2611e1cb036d40df7d30ecb0fe10200f85289e467c5e8fc8b53c7a322fba9bf2d

  • SSDEEP

    3072:98YFaqe9ZjBozEV+Rvq/nFBi14WOZJRHQCiTD8ukbVS1:9BEL9ZFooVcvS7iSpZ3H6D8ukb

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe
    "C:\Users\Admin\AppData\Local\Temp\8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Ksafetray.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:684
    • C:\Program Files\Common Files\svchest8435.exe
      "C:\Program Files\Common Files\svchest8435.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Ksafetray.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:176

Network

  • flag-unknown
    DNS
    15.89.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.89.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    cq52wg.gicp.net
    svchest8435.exe
    Remote address:
    8.8.8.8:53
    Request
    cq52wg.gicp.net
    IN A
    Response
  • flag-unknown
    DNS
    cq52wg.gicp.net
    svchest8435.exe
    Remote address:
    8.8.8.8:53
    Request
    cq52wg.gicp.net
    IN A
    Response
  • flag-unknown
    DNS
    9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    cq52wg.gicp.net
    svchest8435.exe
    Remote address:
    8.8.8.8:53
    Request
    cq52wg.gicp.net
    IN A
    Response
  • flag-unknown
    DNS
    cq52wg.gicp.net
    svchest8435.exe
    Remote address:
    8.8.8.8:53
    Request
    cq52wg.gicp.net
    IN A
    Response
  • 40.125.122.151:443
    52 B
    1
  • 8.247.210.254:80
    46 B
    40 B
    1
    1
  • 178.79.208.1:80
    260 B
    5
  • 20.189.173.15:443
    322 B
    7
  • 178.79.208.1:80
    322 B
    7
  • 178.79.208.1:80
    322 B
    7
  • 178.79.208.1:80
    322 B
    7
  • 93.184.221.240:80
    322 B
    7
  • 93.184.220.29:80
    322 B
    7
  • 8.8.8.8:53
    15.89.54.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    15.89.54.20.in-addr.arpa

  • 8.8.8.8:53
    cq52wg.gicp.net
    dns
    svchest8435.exe
    122 B
    122 B
    2
    2

    DNS Request

    cq52wg.gicp.net

    DNS Request

    cq52wg.gicp.net

  • 8.8.8.8:53
    9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
    204 B
    1
    1

    DNS Request

    9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

  • 8.8.8.8:53
    cq52wg.gicp.net
    dns
    svchest8435.exe
    61 B
    61 B
    1
    1

    DNS Request

    cq52wg.gicp.net

  • 8.8.8.8:53
    cq52wg.gicp.net
    dns
    svchest8435.exe
    61 B
    61 B
    1
    1

    DNS Request

    cq52wg.gicp.net

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\svchest8435.exe

    Filesize

    31.2MB

    MD5

    94199de3f19c264c318039587ec27a43

    SHA1

    66375710cd7366e59625d287ced9ea6a1c82209d

    SHA256

    76ef0bf3a8d4b947d985b18217f4158b8eb313351af436373ffe1f5e0154daa0

    SHA512

    40a4ed759f76279323efda665d9231e25b1a05779e5d901518970dccb1d5fda2d9fd4289f7cd5d9f1634d7a04923b048165e8e535769d06ef6685bff40a5df86

  • C:\Program Files\Common Files\svchest8435.exe

    Filesize

    31.2MB

    MD5

    94199de3f19c264c318039587ec27a43

    SHA1

    66375710cd7366e59625d287ced9ea6a1c82209d

    SHA256

    76ef0bf3a8d4b947d985b18217f4158b8eb313351af436373ffe1f5e0154daa0

    SHA512

    40a4ed759f76279323efda665d9231e25b1a05779e5d901518970dccb1d5fda2d9fd4289f7cd5d9f1634d7a04923b048165e8e535769d06ef6685bff40a5df86

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.