Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2023 18:10
Static task
static1
Behavioral task
behavioral1
Sample
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
d2b638bc930015604dbede40dc3cb202e1fbfa8956c6168923e0bc0bfd400d98.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
d2b638bc930015604dbede40dc3cb202e1fbfa8956c6168923e0bc0bfd400d98.exe
Resource
win10v2004-20230220-en
General
-
Target
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
-
Size
1.1MB
-
MD5
0ede5189d2124e2de33daca7dfacecd8
-
SHA1
b5b62e468bbc494bf039a2b84748a1c54ddf21cb
-
SHA256
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660
-
SHA512
dc97f9c4a840ad4968b5ab04824f5253b538103a11735c301e68862acf60469734dded0c322610d2138afb6b87eaa7db56551d1d1b38c7f1480ede0190dfe18e
-
SSDEEP
12288:jy0Vd6+UYMUiv4MBBlLakiL5R6ftjGFwWod5wgEBit9QVXdNo:j9ygM3lLalRajGeWmwgEBisVt6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1596 svhost.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe File opened for modification C:\Windows\assembly\Desktop.ini 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exedescription pid process target process PID 2456 set thread context of 1596 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exedescription ioc process File opened for modification C:\Windows\assembly 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe File created C:\Windows\assembly\Desktop.ini 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe File opened for modification C:\Windows\assembly\Desktop.ini 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exepid process 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exedescription pid process Token: SeDebugPrivilege 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.execmd.exedescription pid process target process PID 2456 wrote to memory of 3552 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe cmd.exe PID 2456 wrote to memory of 3552 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe cmd.exe PID 2456 wrote to memory of 3552 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe cmd.exe PID 3552 wrote to memory of 5100 3552 cmd.exe reg.exe PID 3552 wrote to memory of 5100 3552 cmd.exe reg.exe PID 3552 wrote to memory of 5100 3552 cmd.exe reg.exe PID 2456 wrote to memory of 1596 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2456 wrote to memory of 1596 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2456 wrote to memory of 1596 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2456 wrote to memory of 1596 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2456 wrote to memory of 1596 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2456 wrote to memory of 1596 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2456 wrote to memory of 1596 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe PID 2456 wrote to memory of 1596 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe"C:\Users\Admin\AppData\Local\Temp\9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exeFilesize
1.1MB
MD50ede5189d2124e2de33daca7dfacecd8
SHA1b5b62e468bbc494bf039a2b84748a1c54ddf21cb
SHA2569fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660
SHA512dc97f9c4a840ad4968b5ab04824f5253b538103a11735c301e68862acf60469734dded0c322610d2138afb6b87eaa7db56551d1d1b38c7f1480ede0190dfe18e
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
memory/1596-143-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1596-146-0x0000000001350000-0x0000000001360000-memory.dmpFilesize
64KB
-
memory/1596-149-0x0000000001350000-0x0000000001360000-memory.dmpFilesize
64KB
-
memory/2456-133-0x0000000001030000-0x0000000001040000-memory.dmpFilesize
64KB
-
memory/2456-147-0x0000000001030000-0x0000000001040000-memory.dmpFilesize
64KB