b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c

Analysis

max time kernel
190s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe
Size

309KB
MD5

c6cf60a5d9fe9068730e33b30595970d
SHA1

e4c0f22e1d5a4df1b1b78afafa42cd6812bd0a47
SHA256

b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c
SHA512

8aa3c536fafe6af48c2c57f8d22a298483e31ef18a623f43ad0a29b78ec5cedfab862842027ad7eb961775e17629ae4385dd2ef4c0ac07858b0c453474bdf0a5
SSDEEP

6144:CyH7xOc6H5c6HcT66vlmnB1LQdgCeh/205XGuQnBq5dbqpu/P2WkUefcGHtl/HBC:CaGS+fldbqUH2Wkbf/HEr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3888	svchost.exe
364	b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe
4248	svchost.exe

Drops file in Program Files directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	svchost.exe
File opened for modification	C:\Program Files\CheckpointSwitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	3608	dw20.exe
Token: SeBackupPrivilege	3608	dw20.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 3888	736	b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe	82
PID 736 wrote to memory of 3888	736	b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe	82
PID 736 wrote to memory of 3888	736	b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe	82
PID 3888 wrote to memory of 364	3888	svchost.exe	83
PID 3888 wrote to memory of 364	3888	svchost.exe	83
PID 364 wrote to memory of 3608	364	b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe	85
PID 364 wrote to memory of 3608	364	b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe	85

C:\Users\Admin\AppData\Local\Temp\b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe
"C:\Users\Admin\AppData\Local\Temp\b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe
    "C:\Users\Admin\AppData\Local\Temp\b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 844
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3608

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe

Filesize
273KB

MD5
3ce4066cf2691fe67bb88edaa45d1958

SHA1
b4a53b60723f8e5f2d890ff5dfbfb47aae14d039

SHA256
75f8c876baddc44d91b1b4a05705cbbace69fd26cbbc5b64bfb3e35e94222729

SHA512
27dde8420866d78cce16da93c7dfaeef936cf0933d01c4f2a9be2272eac820b3603f2f7f43d04ea6402f2fa2f3d7c03849c0078cc0cd9281ad4ccfffc2d49223

Download Submit
C:\Users\Admin\AppData\Local\Temp\b485f85973db1034453f1da297157f64e6a5e9cbf75f0205cb1459e504ce0e8c.exe

Filesize
273KB

MD5
3ce4066cf2691fe67bb88edaa45d1958

SHA1
b4a53b60723f8e5f2d890ff5dfbfb47aae14d039

SHA256
75f8c876baddc44d91b1b4a05705cbbace69fd26cbbc5b64bfb3e35e94222729

SHA512
27dde8420866d78cce16da93c7dfaeef936cf0933d01c4f2a9be2272eac820b3603f2f7f43d04ea6402f2fa2f3d7c03849c0078cc0cd9281ad4ccfffc2d49223

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/364-139-0x00007FFF6DC10000-0x00007FFF6E646000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads