Analysis
-
max time kernel
163s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 12:36
Static task
static1
Behavioral task
behavioral1
Sample
8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe
-
Size
167KB
-
MD5
dfc2b699a1a034febcfcbb7a0896f378
-
SHA1
e7ac60c3078dbf09927898be9c9b9168fdc6a9cf
-
SHA256
8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48
-
SHA512
90204c42ea3fe8f1a6cf894c92bf3697e30aa790a9241c6bf64b75c23f61cda2611e1cb036d40df7d30ecb0fe10200f85289e467c5e8fc8b53c7a322fba9bf2d
-
SSDEEP
3072:98YFaqe9ZjBozEV+Rvq/nFBi14WOZJRHQCiTD8ukbVS1:9BEL9ZFooVcvS7iSpZ3H6D8ukb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4788 svchest8435.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\:\Program Files\Common Files\svchest8435.exe = "C:\\Program Files\\Common Files\\svchest8435.exe" 8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\svchest8435.exe 8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe File opened for modification C:\Program Files\Common Files\svchest8435.exe 8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe File created C:\Program Files\svchest.exe svchest8435.exe -
Kills process with taskkill 2 IoCs
pid Process 684 taskkill.exe 176 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe 4788 svchest8435.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 684 taskkill.exe Token: SeDebugPrivilege 176 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1380 wrote to memory of 684 1380 8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe 82 PID 1380 wrote to memory of 684 1380 8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe 82 PID 1380 wrote to memory of 684 1380 8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe 82 PID 1380 wrote to memory of 4788 1380 8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe 85 PID 1380 wrote to memory of 4788 1380 8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe 85 PID 1380 wrote to memory of 4788 1380 8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe 85 PID 4788 wrote to memory of 176 4788 svchest8435.exe 86 PID 4788 wrote to memory of 176 4788 svchest8435.exe 86 PID 4788 wrote to memory of 176 4788 svchest8435.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe"C:\Users\Admin\AppData\Local\Temp\8e930603c80b86df1862a04a9369927073f307e486d8ee3e866626e611189c48.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ksafetray.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
C:\Program Files\Common Files\svchest8435.exe"C:\Program Files\Common Files\svchest8435.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ksafetray.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:176
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31.2MB
MD594199de3f19c264c318039587ec27a43
SHA166375710cd7366e59625d287ced9ea6a1c82209d
SHA25676ef0bf3a8d4b947d985b18217f4158b8eb313351af436373ffe1f5e0154daa0
SHA51240a4ed759f76279323efda665d9231e25b1a05779e5d901518970dccb1d5fda2d9fd4289f7cd5d9f1634d7a04923b048165e8e535769d06ef6685bff40a5df86
-
Filesize
31.2MB
MD594199de3f19c264c318039587ec27a43
SHA166375710cd7366e59625d287ced9ea6a1c82209d
SHA25676ef0bf3a8d4b947d985b18217f4158b8eb313351af436373ffe1f5e0154daa0
SHA51240a4ed759f76279323efda665d9231e25b1a05779e5d901518970dccb1d5fda2d9fd4289f7cd5d9f1634d7a04923b048165e8e535769d06ef6685bff40a5df86