Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2023 02:51
Behavioral task
behavioral1
Sample
f912be8287054d423391ab02ae3ce840.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
f912be8287054d423391ab02ae3ce840.exe
Resource
win10v2004-20231023-en
General
-
Target
f912be8287054d423391ab02ae3ce840.exe
-
Size
45KB
-
MD5
f912be8287054d423391ab02ae3ce840
-
SHA1
ab262c6f5be9fca39354dc60a7b559db899c6aaa
-
SHA256
21975b5d29637803300a8442c7f0cedd2966acc4a15fde77479ac5ad7b01c5ba
-
SHA512
733175882a4ea45f3caf5701ad9004c42984a62fb66e8239e8ef6429985a65ea85edac434f19b55c310d49cb7872e7af0d78d6672ff7755e0a86510bef41ce3b
-
SSDEEP
768:whP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:MsWE9N5dFu53dsniQaB/xZ14n7zIF+qr
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3316-0-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3AD2BEE2 = "C:\\Users\\Admin\\AppData\\Roaming\\3AD2BEE2\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe 4408 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3100 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 3100 Explorer.EXE Token: SeCreatePagefilePrivilege 3100 Explorer.EXE Token: SeDebugPrivilege 4924 backgroundTaskHost.exe Token: SeDebugPrivilege 4924 backgroundTaskHost.exe Token: SeDebugPrivilege 4924 backgroundTaskHost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4408 winver.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3100 Explorer.EXE 3792 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3316 wrote to memory of 4408 3316 f912be8287054d423391ab02ae3ce840.exe 89 PID 3316 wrote to memory of 4408 3316 f912be8287054d423391ab02ae3ce840.exe 89 PID 3316 wrote to memory of 4408 3316 f912be8287054d423391ab02ae3ce840.exe 89 PID 3316 wrote to memory of 4408 3316 f912be8287054d423391ab02ae3ce840.exe 89 PID 4408 wrote to memory of 3100 4408 winver.exe 46 PID 4408 wrote to memory of 2416 4408 winver.exe 57 PID 4408 wrote to memory of 2452 4408 winver.exe 56 PID 4408 wrote to memory of 2624 4408 winver.exe 51 PID 4408 wrote to memory of 3100 4408 winver.exe 46 PID 4408 wrote to memory of 3404 4408 winver.exe 44 PID 4408 wrote to memory of 3648 4408 winver.exe 43 PID 4408 wrote to memory of 3792 4408 winver.exe 42 PID 4408 wrote to memory of 3900 4408 winver.exe 17 PID 4408 wrote to memory of 4012 4408 winver.exe 41 PID 4408 wrote to memory of 3716 4408 winver.exe 40 PID 4408 wrote to memory of 4296 4408 winver.exe 38 PID 4408 wrote to memory of 1072 4408 winver.exe 28 PID 4408 wrote to memory of 4160 4408 winver.exe 23 PID 4408 wrote to memory of 2348 4408 winver.exe 22 PID 4408 wrote to memory of 2500 4408 winver.exe 19 PID 4408 wrote to memory of 4300 4408 winver.exe 86 PID 4408 wrote to memory of 4924 4408 winver.exe 95
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2500
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:2348
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4160
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1072
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4296
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3716
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4012
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of UnmapMainImage
PID:3792
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3404
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\f912be8287054d423391ab02ae3ce840.exe"C:\Users\Admin\AppData\Local\Temp\f912be8287054d423391ab02ae3ce840.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4408
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2452
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2416
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4300
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
Filesize416B
MD5ee9f06296e8e1e975e6501e2e2d73039
SHA13036d2611df70e2c0597279a2454a4035fd90358
SHA2569c360219c23e7ca54f0258048fa6dfa7a54ed04dba648cb97b095723f9615bd8
SHA5122a4c0434424b5d23cf84e6790cd3f502dd8f3835d661dbe920ac4986ea0679799d3ed4dbf11bdc614808f7a75a65eb92cdaa5cfd3862b24d779e32fa79031f34
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
Filesize213B
MD54c554baa3c62cd8189de83e58380010d
SHA16ac52facdd67cc17dad037d832412fdf1d5b34f6
SHA25639765255bbf289e79a827c24931fe540f666483880343f616b443f766b58da22
SHA51234fc395d7c8c8b5d9913a74a839c99535e457f04deee21a7072c8492eadda6e205b2773000ba0f90b5c81717b6b1016d2be14a488e5238322ecaf0ba5dfa6b58
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
Filesize629B
MD55f83d4568db23b0663277e62b889af3e
SHA194394eb9d37aa92fe9d1d4f381602aa3a6d79553
SHA256ca5b28df6522a63dee3d2eb58964adefe222a9d6ee2310c81d49a10ee3f239b2
SHA5128579aec54646fa1c9a8cf08c4f965fc55ae0b93a46d18fce96a91e9f9939e2da6a45cfa2be9859a6cc3335cac75027cce9cd1c9c05a83255f6e463e32810ab78
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\5ddfea7294a54b309725c215bdb42441_1
Filesize1KB
MD550c125df8ea415c195ab5472752906da
SHA1c1bda72f802ac09ca16394ccd94bdcd1df44de44
SHA2565fc0160aa2f203516b4ebcc76f93f55327b5fc0888dc8e2775f4ae09a1e7a5f7
SHA51261a293c368a60155e36b9cd9ebc226584e76859a6b85e90d87983e383a7c7606bf382d1e233700ef08b30a89aabe6989fa67d5bb77e207c3e2416e3b65fe4232
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\f85a4eff66c1407584b5adf162125869_1
Filesize2KB
MD57870bdfadf197731be6817f275bb17bc
SHA146a123e4fb6e1812813276b5a60a5c8c059acb47
SHA25639b244700185185ac8de0dc522eff64d1127cb7601d7c7290bf0b1279c14bb5e
SHA5123951f60f3e62995d1e0726c06aa33e71b539530e1e01cbffcdf6ef5822f1d736e577dc49ed9478199730a89b78574f34963afc4ea9cdf3d71700b03b2331201c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\f85a4eff66c1407584b5adf162125869_1
Filesize2KB
MD57870bdfadf197731be6817f275bb17bc
SHA146a123e4fb6e1812813276b5a60a5c8c059acb47
SHA25639b244700185185ac8de0dc522eff64d1127cb7601d7c7290bf0b1279c14bb5e
SHA5123951f60f3e62995d1e0726c06aa33e71b539530e1e01cbffcdf6ef5822f1d736e577dc49ed9478199730a89b78574f34963afc4ea9cdf3d71700b03b2331201c