Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 21:58
Static task
static1
Behavioral task
behavioral1
Sample
c9b6b9bfa26a7e9b2950f3e30820069d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c9b6b9bfa26a7e9b2950f3e30820069d.exe
Resource
win10v2004-20240226-en
General
-
Target
c9b6b9bfa26a7e9b2950f3e30820069d.exe
-
Size
407KB
-
MD5
c9b6b9bfa26a7e9b2950f3e30820069d
-
SHA1
282b807d3a7adb05dfb527d5e7db0ee81f36167a
-
SHA256
8061cf54b5728fc8eea005c8f5214dccc50f5417ac3d4b17de87aeec8c4ba255
-
SHA512
1bfc76f7ec30162e5d015fec96f27ac55d19f0370fa62d07b58b7cb375ef1f7da82bc6ec448e1aac9ea524fd2b736e495bb166104a4498b4c1b24f4e8536fed6
-
SSDEEP
12288:Tg0Cq6x4aIhpJIew5rzWZfb6YkOVYGXKmRjVNL:TyfsJezoxkOVim
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
c9b6b9bfa26a7e9b2950f3e30820069d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \\eF35400EoBhB35400\\eF35400EoBhB35400.exe" c9b6b9bfa26a7e9b2950f3e30820069d.exe -
Deletes itself 1 IoCs
Processes:
eF35400EoBhB35400.exepid process 3828 eF35400EoBhB35400.exe -
Executes dropped EXE 1 IoCs
Processes:
eF35400EoBhB35400.exepid process 3828 eF35400EoBhB35400.exe -
Processes:
resource yara_rule behavioral2/memory/4908-1-0x0000000000400000-0x00000000004CC000-memory.dmp upx behavioral2/memory/4908-82-0x0000000000400000-0x00000000004CC000-memory.dmp upx behavioral2/memory/3828-94-0x0000000000400000-0x00000000004CC000-memory.dmp upx behavioral2/memory/4908-111-0x0000000000400000-0x00000000004CC000-memory.dmp upx behavioral2/memory/3828-179-0x0000000000400000-0x00000000004CC000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
eF35400EoBhB35400.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eF35400EoBhB35400 = "C:\\eF35400EoBhB35400\\eF35400EoBhB35400.exe" eF35400EoBhB35400.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4508 4908 WerFault.exe c9b6b9bfa26a7e9b2950f3e30820069d.exe 3920 3828 WerFault.exe eF35400EoBhB35400.exe -
Modifies data under HKEY_USERS 26 IoCs
Processes:
OfficeClickToRun.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c9b6b9bfa26a7e9b2950f3e30820069d.exepid process 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c9b6b9bfa26a7e9b2950f3e30820069d.exeeF35400EoBhB35400.exedescription pid process Token: SeDebugPrivilege 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe Token: SeDebugPrivilege 3828 eF35400EoBhB35400.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
sihost.exesihost.exesihost.exesihost.exesihost.exesihost.exeeF35400EoBhB35400.exepid process 4416 sihost.exe 1128 sihost.exe 3536 sihost.exe 2376 sihost.exe 3548 sihost.exe 2432 sihost.exe 3828 eF35400EoBhB35400.exe 3828 eF35400EoBhB35400.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
eF35400EoBhB35400.exepid process 3828 eF35400EoBhB35400.exe 3828 eF35400EoBhB35400.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OfficeClickToRun.exepid process 4060 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c9b6b9bfa26a7e9b2950f3e30820069d.exedescription pid process target process PID 4908 wrote to memory of 3828 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe eF35400EoBhB35400.exe PID 4908 wrote to memory of 3828 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe eF35400EoBhB35400.exe PID 4908 wrote to memory of 3828 4908 c9b6b9bfa26a7e9b2950f3e30820069d.exe eF35400EoBhB35400.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9b6b9bfa26a7e9b2950f3e30820069d.exe"C:\Users\Admin\AppData\Local\Temp\c9b6b9bfa26a7e9b2950f3e30820069d.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 8482⤵
- Program crash
-
C:\eF35400EoBhB35400\eF35400EoBhB35400.exe"\eF35400EoBhB35400\eF35400EoBhB35400.exe" "C:\Users\Admin\AppData\Local\Temp\c9b6b9bfa26a7e9b2950f3e30820069d.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 8403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4908 -ip 49081⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3828 -ip 38281⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\eF35400EoBhB35400\eF35400EoBhB35400.exeFilesize
407KB
MD51ef94d42f5e2c78aa70b6fcb1b15c9cf
SHA1547d4d9dc7b11cade6eb4633e0122d3420a9bc49
SHA256984093c6cd08ccd615de74cce83064fffc5d58dc4356c9de158a9f1adb1e4d41
SHA512d3eba85233b56e26acf0fbbcf844665aed2d8f498c741ed7f9582426c250e01f9c166d1f3aa9c2ac8e5ff0d5d5d4d8c8f8f4187451bad5e7023630c54102c28d
-
memory/3828-94-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3828-95-0x0000000002010000-0x0000000002011000-memory.dmpFilesize
4KB
-
memory/3828-179-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4908-0-0x0000000000690000-0x0000000000693000-memory.dmpFilesize
12KB
-
memory/4908-1-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4908-2-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/4908-82-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4908-111-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB