Analysis

  • max time kernel
    171s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/04/2023, 17:27

General

  • Target

    HEUR-Trojan.Win32.exe

  • Size

    138KB

  • MD5

    cfa679562fd9617fac6a48c9675dcea9

  • SHA1

    9cebe23223aef35aa45bf9d6473c0a18f89006db

  • SHA256

    d9c49283e3e13a99782427ebd5e373bfd47293bbc89cb6a5f4ca675c9563ec4c

  • SHA512

    a0002d15fe2c91d77ad6f6539bbd3d7721ae76fb98573ba242821b00b76ef3abaa8e245d9ac58e1c328359fd3244fce158fffbcd7c9e740a99575104b2b2b060

  • SSDEEP

    3072:5M1BjoYNXoKDIJBXJPw45QvyBX94Z8L/YnfotzuK42fukRjXIUwJ9aj8uZ9:5MMYNXqBBwfvyj4qL2s5uCwJ8j8i9

Score
8/10

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Creates scheduled task(s) 1 TTPs 23 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.exe
      "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.exe"
      2⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4056
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:832
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
          4⤵
          • Creates scheduled task(s)
          PID:1624
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
          4⤵
          • Creates scheduled task(s)
          PID:4500
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5036
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3124
            • C:\Windows\SysWOW64\tasklist.exe
              C:\Windows\SysWOW64\tasklist.exe
              6⤵
              • Enumerates processes with tasklist
              • Suspicious behavior: EnumeratesProcesses
              PID:3740
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:4584
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule program="C:\Windows\SysWOW64\svchost.exe" action=allow name="Windows Update" dir=in profile=any
            5⤵
            • Modifies Windows Firewall
            PID:5048
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule program="C:\Windows\SysWOW64\svchost.exe" action=allow name="Windows Update" dir=out profile=any
            5⤵
            • Modifies Windows Firewall
            PID:740
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3568
            • C:\Windows\SysWOW64\tasklist.exe
              C:\Windows\SysWOW64\tasklist.exe
              6⤵
              • Enumerates processes with tasklist
              PID:3708
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5080
            • C:\Windows\SysWOW64\tasklist.exe
              C:\Windows\SysWOW64\tasklist.exe
              6⤵
              • Enumerates processes with tasklist
              PID:4940
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:4840
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:3580
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:1760
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:1892
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:2740
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:4764
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:2212
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:3340
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:1512
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:3828
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:5108
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:4116
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:1868
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:4036
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:1276
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:2856
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:2564
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:4388
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:4372
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /Create /ru "SYSTEM" /SC ONSTART /F /TN "IE4Data" /TR "C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd"
            5⤵
            • Creates scheduled task(s)
            PID:4604

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsbBE64.tmp\System.dll

          Filesize

          11KB

          MD5

          883eff06ac96966270731e4e22817e11

          SHA1

          523c87c98236cbc04430e87ec19b977595092ac8

          SHA256

          44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

          SHA512

          60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

        • C:\Users\Admin\AppData\Local\Temp\pervasions.dll

          Filesize

          48KB

          MD5

          747c985338806ee3e1dc3a48449bc3ce

          SHA1

          0f2801e2057941ff1b1308d55afed35a46232394

          SHA256

          1000ea709644af1a37332ffa8e214f8881157b287404c01839c293aaf871a2da

          SHA512

          8d29e0638ef3ab1623d600c986a048b4d91367bc90551edd0ccfbda8ad8eb3e4ef144ccd3e3e76831b296dc17c7f3ed316534c2f32a42b9a24072318ad25680c

        • C:\Users\Admin\AppData\Local\Temp\pervasions.dll

          Filesize

          48KB

          MD5

          747c985338806ee3e1dc3a48449bc3ce

          SHA1

          0f2801e2057941ff1b1308d55afed35a46232394

          SHA256

          1000ea709644af1a37332ffa8e214f8881157b287404c01839c293aaf871a2da

          SHA512

          8d29e0638ef3ab1623d600c986a048b4d91367bc90551edd0ccfbda8ad8eb3e4ef144ccd3e3e76831b296dc17c7f3ed316534c2f32a42b9a24072318ad25680c

        • C:\Windows\SysWOW64\IE4Data.{E4D91FC0-3FED-FF00-0020-EF74DF1E0008}\IE4Data.cmd

          Filesize

          138KB

          MD5

          cfa679562fd9617fac6a48c9675dcea9

          SHA1

          9cebe23223aef35aa45bf9d6473c0a18f89006db

          SHA256

          d9c49283e3e13a99782427ebd5e373bfd47293bbc89cb6a5f4ca675c9563ec4c

          SHA512

          a0002d15fe2c91d77ad6f6539bbd3d7721ae76fb98573ba242821b00b76ef3abaa8e245d9ac58e1c328359fd3244fce158fffbcd7c9e740a99575104b2b2b060

        • memory/832-160-0x0000000000490000-0x00000000008C3000-memory.dmp

          Filesize

          4.2MB

        • memory/832-162-0x0000000010000000-0x0000000010014000-memory.dmp

          Filesize

          80KB

        • memory/832-151-0x0000000000490000-0x00000000008C3000-memory.dmp

          Filesize

          4.2MB

        • memory/832-154-0x0000000000490000-0x00000000008C3000-memory.dmp

          Filesize

          4.2MB

        • memory/2744-145-0x0000000003000000-0x0000000003001000-memory.dmp

          Filesize

          4KB

        • memory/3124-170-0x0000000000490000-0x00000000008C3000-memory.dmp

          Filesize

          4.2MB

        • memory/3124-167-0x0000000000490000-0x00000000008C3000-memory.dmp

          Filesize

          4.2MB

        • memory/3124-171-0x0000000010000000-0x0000000010014000-memory.dmp

          Filesize

          80KB

        • memory/3124-163-0x0000000000490000-0x00000000008C3000-memory.dmp

          Filesize

          4.2MB

        • memory/3568-173-0x0000000000490000-0x00000000008C3000-memory.dmp

          Filesize

          4.2MB

        • memory/3568-175-0x0000000000490000-0x00000000008C3000-memory.dmp

          Filesize

          4.2MB

        • memory/3568-180-0x0000000010000000-0x0000000010014000-memory.dmp

          Filesize

          80KB

        • memory/3568-179-0x0000000000490000-0x00000000008C3000-memory.dmp

          Filesize

          4.2MB

        • memory/3708-193-0x0000000000D90000-0x0000000000DA6000-memory.dmp

          Filesize

          88KB

        • memory/3708-177-0x0000000000D90000-0x0000000000DA6000-memory.dmp

          Filesize

          88KB

        • memory/3708-194-0x0000000010000000-0x0000000010014000-memory.dmp

          Filesize

          80KB

        • memory/3708-178-0x0000000000D90000-0x0000000000DA6000-memory.dmp

          Filesize

          88KB

        • memory/3740-176-0x0000000000D90000-0x0000000000DA6000-memory.dmp

          Filesize

          88KB

        • memory/3740-191-0x0000000000D90000-0x0000000000DA6000-memory.dmp

          Filesize

          88KB

        • memory/3740-169-0x0000000000D90000-0x0000000000DA6000-memory.dmp

          Filesize

          88KB

        • memory/3740-192-0x0000000010000000-0x0000000010014000-memory.dmp

          Filesize

          80KB

        • memory/4056-146-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/4056-149-0x0000000000400000-0x0000000000413014-memory.dmp

          Filesize

          76KB

        • memory/4056-148-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/4940-195-0x0000000000D90000-0x0000000000DA6000-memory.dmp

          Filesize

          88KB

        • memory/4940-200-0x0000000000D90000-0x0000000000DA6000-memory.dmp

          Filesize

          88KB

        • memory/4940-203-0x0000000010000000-0x0000000010014000-memory.dmp

          Filesize

          80KB

        • memory/4940-197-0x0000000000D90000-0x0000000000DA6000-memory.dmp

          Filesize

          88KB

        • memory/5036-156-0x0000000000B30000-0x0000000000B3E000-memory.dmp

          Filesize

          56KB

        • memory/5036-165-0x0000000010000000-0x0000000010014000-memory.dmp

          Filesize

          80KB

        • memory/5036-164-0x0000000000B30000-0x0000000000B3E000-memory.dmp

          Filesize

          56KB

        • memory/5036-158-0x0000000000B30000-0x0000000000B3E000-memory.dmp

          Filesize

          56KB

        • memory/5036-172-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/5036-204-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/5036-205-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/5036-208-0x0000000010000000-0x0000000010014000-memory.dmp

          Filesize

          80KB

        • memory/5036-209-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/5080-182-0x0000000000490000-0x00000000008C3000-memory.dmp

          Filesize

          4.2MB

        • memory/5080-190-0x0000000010000000-0x0000000010014000-memory.dmp

          Filesize

          80KB

        • memory/5080-189-0x0000000000490000-0x00000000008C3000-memory.dmp

          Filesize

          4.2MB

        • memory/5080-184-0x0000000000490000-0x00000000008C3000-memory.dmp

          Filesize

          4.2MB