Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 22:37
Behavioral task
behavioral1
Sample
42BE3BED9261FBAE0A0AED767EBD88C0.exe
Resource
win7-20240221-en
General
-
Target
42BE3BED9261FBAE0A0AED767EBD88C0.exe
-
Size
202KB
-
MD5
42be3bed9261fbae0a0aed767ebd88c0
-
SHA1
6630748f26ac9e3a8d19cb43eeacd77d506b1808
-
SHA256
c1d29284b6d4ae244712dd49661841b36a6de2387cad6ab55388b22769151878
-
SHA512
bf522bb82bdee59a355043b0af17c42bf79b1d4e59120d3fb9ffcb96aad369d221b60af1106b29c51286a94d95ccfc80cc69421590c20a9984c73d61174a7c7b
-
SSDEEP
3072:QzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIGYcsD6RA5E3bKKiCf3e0kYrOV:QLV6Bta6dtJmakIM5gcs8A5ELiUfoZ
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
server.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft = "C:\\Windows\\system32\\Microsoft\\svchost.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft = "C:\\Windows\\system32\\Microsoft\\svchost.exe" server.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F5S3313-FD88-4527-JB27-33H3H24487W2} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F5S3313-FD88-4527-JB27-33H3H24487W2}\StubPath = "C:\\Windows\\system32\\Microsoft\\svchost.exe Restart" server.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
42BE3BED9261FBAE0A0AED767EBD88C0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation 42BE3BED9261FBAE0A0AED767EBD88C0.exe -
Executes dropped EXE 2 IoCs
Processes:
server.exesvchost.exepid process 4316 server.exe 5060 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/4316-21-0x0000000024010000-0x0000000024070000-memory.dmp upx behavioral2/memory/4316-81-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/1344-85-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/1344-86-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/3116-152-0x00000000240D0000-0x0000000024130000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\Microsoft\\svchost.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\Microsoft\\svchost.exe" server.exe -
Processes:
42BE3BED9261FBAE0A0AED767EBD88C0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 42BE3BED9261FBAE0A0AED767EBD88C0.exe -
Drops file in System32 directory 4 IoCs
Processes:
svchost.exeserver.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Microsoft\ svchost.exe File created C:\Windows\SysWOW64\Microsoft\svchost.exe server.exe File opened for modification C:\Windows\SysWOW64\Microsoft\svchost.exe server.exe File opened for modification C:\Windows\SysWOW64\Microsoft\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3128 5060 WerFault.exe svchost.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
42BE3BED9261FBAE0A0AED767EBD88C0.exeserver.exepid process 4548 42BE3BED9261FBAE0A0AED767EBD88C0.exe 4548 42BE3BED9261FBAE0A0AED767EBD88C0.exe 4548 42BE3BED9261FBAE0A0AED767EBD88C0.exe 4548 42BE3BED9261FBAE0A0AED767EBD88C0.exe 4548 42BE3BED9261FBAE0A0AED767EBD88C0.exe 4548 42BE3BED9261FBAE0A0AED767EBD88C0.exe 4316 server.exe 4316 server.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
42BE3BED9261FBAE0A0AED767EBD88C0.exesvchost.exepid process 4548 42BE3BED9261FBAE0A0AED767EBD88C0.exe 3116 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
42BE3BED9261FBAE0A0AED767EBD88C0.exesvchost.exedescription pid process Token: SeDebugPrivilege 4548 42BE3BED9261FBAE0A0AED767EBD88C0.exe Token: SeDebugPrivilege 3116 svchost.exe Token: SeDebugPrivilege 3116 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
server.exepid process 4316 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
42BE3BED9261FBAE0A0AED767EBD88C0.exeserver.exedescription pid process target process PID 4548 wrote to memory of 4316 4548 42BE3BED9261FBAE0A0AED767EBD88C0.exe server.exe PID 4548 wrote to memory of 4316 4548 42BE3BED9261FBAE0A0AED767EBD88C0.exe server.exe PID 4548 wrote to memory of 4316 4548 42BE3BED9261FBAE0A0AED767EBD88C0.exe server.exe PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE PID 4316 wrote to memory of 3376 4316 server.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\42BE3BED9261FBAE0A0AED767EBD88C0.exe"C:\Users\Admin\AppData\Local\Temp\42BE3BED9261FBAE0A0AED767EBD88C0.exe"2⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Microsoft\svchost.exe"C:\Windows\system32\Microsoft\svchost.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 5686⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5060 -ip 50601⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
221KB
MD53cb7bf855b54ba464c29178a1ce052cc
SHA118708b44365d1148cf4d928e1cc99343f5e0f4e6
SHA256310efa33ac845566bf68422f58407b7270353eb62cb04e7cd5c48571810c9faf
SHA512db09e5270ec6cb70773fa25a8c5ebb4c331ab4b0b1c44e8cefec29e862bf84d534ae030fd3dd954c11847efea8059a305cbef9933aa2aa1df4bbadd386589219
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
282KB
MD59b0975e52c196e91d4bee83ec4a2d950
SHA1e049054e78b39dbc0d0b69ae88e03a86bab502a2
SHA256cd3ad6a8b2816ffcb6e38662071a3304562543e735fc730852316838c3ffefce
SHA51291d38e6b53dac21ad2dd1010e86957a76d890efe8e9cc4dee55d03055a73a86764bd17b183d8c604d0ab7eae792d0cd6d5e5d74e7037200f9267da20db643751
-
C:\Users\Admin\AppData\Roaming\logs.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
memory/1344-85-0x0000000024070000-0x00000000240D0000-memory.dmpFilesize
384KB
-
memory/1344-26-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/1344-86-0x0000000024070000-0x00000000240D0000-memory.dmpFilesize
384KB
-
memory/1344-84-0x0000000003660000-0x0000000003661000-memory.dmpFilesize
4KB
-
memory/1344-25-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/3116-152-0x00000000240D0000-0x0000000024130000-memory.dmpFilesize
384KB
-
memory/4316-21-0x0000000024010000-0x0000000024070000-memory.dmpFilesize
384KB
-
memory/4316-81-0x0000000024070000-0x00000000240D0000-memory.dmpFilesize
384KB
-
memory/4548-8-0x0000000001810000-0x0000000001820000-memory.dmpFilesize
64KB
-
memory/4548-0-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/4548-7-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/4548-2-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/4548-9-0x0000000001810000-0x0000000001820000-memory.dmpFilesize
64KB
-
memory/4548-1-0x0000000001810000-0x0000000001820000-memory.dmpFilesize
64KB