Analysis
-
max time kernel
60s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-uk -
resource tags
arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows -
submitted
11/03/2024, 12:43
Static task
static1
1 signatures
windows10-2004-x64
13 signatures
300 seconds
General
-
Target
-
Size
2.0MB
-
MD5
c7e9746b1b039b8bd1106bca3038c38f
-
SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191
-
SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
-
SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
SSDEEP
49152:FH/1Fdq0wneDrEoYxWFjmYMcKabLVp3diY7kp:FH/1Fdq0nIo2YAcl/NisA
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan" [email protected] -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\AnVi\splash.mp3 [email protected] File created C:\Program Files (x86)\AnVi\virus.mp3 [email protected] -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" [email protected] -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3268 [email protected] -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 3920 mofcomp.exe Token: SeAssignPrimaryTokenPrivilege 3452 svchost.exe Token: SeIncreaseQuotaPrivilege 3452 svchost.exe Token: SeSecurityPrivilege 3452 svchost.exe Token: SeTakeOwnershipPrivilege 3452 svchost.exe Token: SeLoadDriverPrivilege 3452 svchost.exe Token: SeSystemtimePrivilege 3452 svchost.exe Token: SeBackupPrivilege 3452 svchost.exe Token: SeRestorePrivilege 3452 svchost.exe Token: SeShutdownPrivilege 3452 svchost.exe Token: SeSystemEnvironmentPrivilege 3452 svchost.exe Token: SeUndockPrivilege 3452 svchost.exe Token: SeManageVolumePrivilege 3452 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3452 svchost.exe Token: SeIncreaseQuotaPrivilege 3452 svchost.exe Token: SeSecurityPrivilege 3452 svchost.exe Token: SeTakeOwnershipPrivilege 3452 svchost.exe Token: SeLoadDriverPrivilege 3452 svchost.exe Token: SeSystemtimePrivilege 3452 svchost.exe Token: SeBackupPrivilege 3452 svchost.exe Token: SeRestorePrivilege 3452 svchost.exe Token: SeShutdownPrivilege 3452 svchost.exe Token: SeSystemEnvironmentPrivilege 3452 svchost.exe Token: SeUndockPrivilege 3452 svchost.exe Token: SeManageVolumePrivilege 3452 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3452 svchost.exe Token: SeIncreaseQuotaPrivilege 3452 svchost.exe Token: SeSecurityPrivilege 3452 svchost.exe Token: SeTakeOwnershipPrivilege 3452 svchost.exe Token: SeLoadDriverPrivilege 3452 svchost.exe Token: SeSystemtimePrivilege 3452 svchost.exe Token: SeBackupPrivilege 3452 svchost.exe Token: SeRestorePrivilege 3452 svchost.exe Token: SeShutdownPrivilege 3452 svchost.exe Token: SeSystemEnvironmentPrivilege 3452 svchost.exe Token: SeUndockPrivilege 3452 svchost.exe Token: SeManageVolumePrivilege 3452 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3452 svchost.exe Token: SeIncreaseQuotaPrivilege 3452 svchost.exe Token: SeSecurityPrivilege 3452 svchost.exe Token: SeTakeOwnershipPrivilege 3452 svchost.exe Token: SeLoadDriverPrivilege 3452 svchost.exe Token: SeSystemtimePrivilege 3452 svchost.exe Token: SeBackupPrivilege 3452 svchost.exe Token: SeRestorePrivilege 3452 svchost.exe Token: SeShutdownPrivilege 3452 svchost.exe Token: SeSystemEnvironmentPrivilege 3452 svchost.exe Token: SeUndockPrivilege 3452 svchost.exe Token: SeManageVolumePrivilege 3452 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3452 svchost.exe Token: SeIncreaseQuotaPrivilege 3452 svchost.exe Token: SeSecurityPrivilege 3452 svchost.exe Token: SeTakeOwnershipPrivilege 3452 svchost.exe Token: SeLoadDriverPrivilege 3452 svchost.exe Token: SeSystemtimePrivilege 3452 svchost.exe Token: SeBackupPrivilege 3452 svchost.exe Token: SeRestorePrivilege 3452 svchost.exe Token: SeShutdownPrivilege 3452 svchost.exe Token: SeSystemEnvironmentPrivilege 3452 svchost.exe Token: SeUndockPrivilege 3452 svchost.exe Token: SeManageVolumePrivilege 3452 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3452 svchost.exe Token: SeIncreaseQuotaPrivilege 3452 svchost.exe Token: SeSecurityPrivilege 3452 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3268 [email protected] 3268 [email protected] 3268 [email protected] -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3268 [email protected] 3268 [email protected] 3268 [email protected] -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3268 [email protected] 3268 [email protected] 3268 [email protected] 3268 [email protected] 3268 [email protected] 3268 [email protected] 3268 [email protected] 3268 [email protected] 3268 [email protected] 3268 [email protected] 3268 [email protected] -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3268 wrote to memory of 4220 3268 [email protected] 91 PID 3268 wrote to memory of 4220 3268 [email protected] 91 PID 3268 wrote to memory of 4220 3268 [email protected] 91 PID 3268 wrote to memory of 4340 3268 [email protected] 92 PID 3268 wrote to memory of 4340 3268 [email protected] 92 PID 3268 wrote to memory of 4340 3268 [email protected] 92 PID 3268 wrote to memory of 2084 3268 [email protected] 93 PID 3268 wrote to memory of 2084 3268 [email protected] 93 PID 3268 wrote to memory of 2084 3268 [email protected] 93 PID 3268 wrote to memory of 4524 3268 [email protected] 94 PID 3268 wrote to memory of 4524 3268 [email protected] 94 PID 3268 wrote to memory of 4524 3268 [email protected] 94 PID 3268 wrote to memory of 3920 3268 [email protected] 95 PID 3268 wrote to memory of 3920 3268 [email protected] 95 PID 3268 wrote to memory of 3920 3268 [email protected] 95 PID 4340 wrote to memory of 2608 4340 net.exe 101 PID 4340 wrote to memory of 2608 4340 net.exe 101 PID 4340 wrote to memory of 2608 4340 net.exe 101 PID 4220 wrote to memory of 2080 4220 net.exe 102 PID 4220 wrote to memory of 2080 4220 net.exe 102 PID 4220 wrote to memory of 2080 4220 net.exe 102 PID 2084 wrote to memory of 4984 2084 net.exe 103 PID 2084 wrote to memory of 4984 2084 net.exe 103 PID 2084 wrote to memory of 4984 2084 net.exe 103 PID 4524 wrote to memory of 5076 4524 net.exe 104 PID 4524 wrote to memory of 5076 4524 net.exe 104 PID 4524 wrote to memory of 5076 4524 net.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\net.exenet stop wscsvc2⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc3⤵PID:2080
-
-
-
C:\Windows\SysWOW64\net.exenet stop winmgmt /y2⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop winmgmt /y3⤵PID:2608
-
-
-
C:\Windows\SysWOW64\net.exenet start winmgmt2⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start winmgmt3⤵PID:4984
-
-
-
C:\Windows\SysWOW64\net.exenet start wscsvc2⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wscsvc3⤵PID:5076
-
-
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵PID:872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
443B
MD57fad92afda308dca8acfc6ff45c80c24
SHA1a7fa35e7f90f772fc943c2e940737a48b654c295
SHA25676e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f
SHA51249eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82