Overview
overview
3Static
static
1Microsoft....we.zip
windows7-x64
1Microsoft....we.zip
windows10-2004-x64
1AppxBlockMap.xml
windows7-x64
1AppxBlockMap.xml
windows10-2004-x64
1AppxMetada...st.xml
windows7-x64
1AppxMetada...st.xml
windows10-2004-x64
1AppxSignature.p7x
windows7-x64
3AppxSignature.p7x
windows10-2004-x64
3Microsoft....4.appx
windows7-x64
Microsoft....4.appx
windows10-2004-x64
Microsoft....4.appx
windows7-x64
Microsoft....4.appx
windows10-2004-x64
1Microsoft....6.appx
windows7-x64
Microsoft....6.appx
windows10-2004-x64
1[Content_Types].xml
windows7-x64
1[Content_Types].xml
windows10-2004-x64
1Resubmissions
25-10-2023 13:58
231025-q979cshd42 125-10-2023 13:54
231025-q72c2ahc87 325-10-2023 13:53
231025-q6ywhshc46 1Analysis
-
max time kernel
170s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2023 13:54
Static task
static1
Behavioral task
behavioral1
Sample
Microsoft.HEVCVideoExtension_2.0.61931.0_neutral_~_8wekyb3d8bbwe.zip
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral2
Sample
Microsoft.HEVCVideoExtension_2.0.61931.0_neutral_~_8wekyb3d8bbwe.zip
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
AppxBlockMap.xml
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral4
Sample
AppxBlockMap.xml
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
AppxMetadata/AppxBundleManifest.xml
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral6
Sample
AppxMetadata/AppxBundleManifest.xml
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
AppxSignature.p7x
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral8
Sample
AppxSignature.p7x
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Microsoft.HEVCVideoExtension_8wekyb3d8bbwe.arm64.appx
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral10
Sample
Microsoft.HEVCVideoExtension_8wekyb3d8bbwe.arm64.appx
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Microsoft.HEVCVideoExtension_8wekyb3d8bbwe.x64.appx
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral12
Sample
Microsoft.HEVCVideoExtension_8wekyb3d8bbwe.x64.appx
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Microsoft.HEVCVideoExtension_8wekyb3d8bbwe.x86.appx
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral14
Sample
Microsoft.HEVCVideoExtension_8wekyb3d8bbwe.x86.appx
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
[Content_Types].xml
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral16
Sample
[Content_Types].xml
Resource
win10v2004-20231023-en
windows10-2004-x64
General
-
Target
AppxBlockMap.xml
-
Size
338B
-
MD5
7c1b108f8a1d6b86cf1b37e1845f628c
-
SHA1
25ae9fea16811c0478d503c316f6deb742911486
-
SHA256
acbbe52455c1edcfbf7c489e6dca3591a177406a1a13a2157eac09606c635e79
-
SHA512
aabd2fec0ac52c7f108ad63b43ae84e17da1efbf472e3bda1c5fbbe801a4813c9c3182e136ccbb92030dcacd754049b0cb85e05abe8a1801d3ee2856b0fb942a
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
taskmgr.exepid Process 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid Process Token: SeDebugPrivilege 1680 taskmgr.exe Token: SeSystemProfilePrivilege 1680 taskmgr.exe Token: SeCreateGlobalPrivilege 1680 taskmgr.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
Processes:
taskmgr.exepid Process 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe -
Suspicious use of SendNotifyMessage 43 IoCs
Processes:
taskmgr.exepid Process 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AppxBlockMap.xml"1⤵PID:4528
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1680
-
C:\Windows\system32\werfault.exewerfault.exe /hc /shared Global\eb3ce09761b04d58bc9715f3193b3d07 /t 400 /p 28521⤵PID:1980