Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 02:25
Static task
static1
Behavioral task
behavioral1
Sample
b5b256bfc52004916f9cc8706b41de76a3a4ddebd5957b6088c5f69a77017a79.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b5b256bfc52004916f9cc8706b41de76a3a4ddebd5957b6088c5f69a77017a79.exe
Resource
win10v2004-20240226-en
General
-
Target
b5b256bfc52004916f9cc8706b41de76a3a4ddebd5957b6088c5f69a77017a79.exe
-
Size
225KB
-
MD5
20f2ca8b394c759018cdb7639c17a5e9
-
SHA1
25498dea4b25b2f1f116b9c30077e2d7e772a49a
-
SHA256
b5b256bfc52004916f9cc8706b41de76a3a4ddebd5957b6088c5f69a77017a79
-
SHA512
cf862f798b5712ccab3ab7c070dc59dac0847a85a0e4529fbe508c7e2ce1131a21bc70e6e5825fb9a83223a0d06393a84da8336f348b15680c10375664fd50df
-
SSDEEP
6144:gA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:gATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6A70B7A8 = "C:\\Users\\Admin\\AppData\\Roaming\\6A70B7A8\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe 5076 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 5076 winver.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
b5b256bfc52004916f9cc8706b41de76a3a4ddebd5957b6088c5f69a77017a79.exewinver.exedescription pid process target process PID 2104 wrote to memory of 5076 2104 b5b256bfc52004916f9cc8706b41de76a3a4ddebd5957b6088c5f69a77017a79.exe winver.exe PID 2104 wrote to memory of 5076 2104 b5b256bfc52004916f9cc8706b41de76a3a4ddebd5957b6088c5f69a77017a79.exe winver.exe PID 2104 wrote to memory of 5076 2104 b5b256bfc52004916f9cc8706b41de76a3a4ddebd5957b6088c5f69a77017a79.exe winver.exe PID 2104 wrote to memory of 5076 2104 b5b256bfc52004916f9cc8706b41de76a3a4ddebd5957b6088c5f69a77017a79.exe winver.exe PID 5076 wrote to memory of 3364 5076 winver.exe Explorer.EXE PID 5076 wrote to memory of 2460 5076 winver.exe sihost.exe PID 5076 wrote to memory of 2508 5076 winver.exe svchost.exe PID 5076 wrote to memory of 2632 5076 winver.exe taskhostw.exe PID 5076 wrote to memory of 3364 5076 winver.exe Explorer.EXE PID 5076 wrote to memory of 3544 5076 winver.exe svchost.exe PID 5076 wrote to memory of 3716 5076 winver.exe DllHost.exe PID 5076 wrote to memory of 3816 5076 winver.exe StartMenuExperienceHost.exe PID 5076 wrote to memory of 3920 5076 winver.exe RuntimeBroker.exe PID 5076 wrote to memory of 4008 5076 winver.exe SearchApp.exe PID 5076 wrote to memory of 3848 5076 winver.exe RuntimeBroker.exe PID 5076 wrote to memory of 4360 5076 winver.exe RuntimeBroker.exe PID 5076 wrote to memory of 3124 5076 winver.exe TextInputHost.exe PID 5076 wrote to memory of 320 5076 winver.exe msedge.exe PID 5076 wrote to memory of 2944 5076 winver.exe msedge.exe PID 5076 wrote to memory of 2560 5076 winver.exe msedge.exe PID 5076 wrote to memory of 4604 5076 winver.exe msedge.exe PID 5076 wrote to memory of 3864 5076 winver.exe msedge.exe PID 5076 wrote to memory of 768 5076 winver.exe msedge.exe PID 5076 wrote to memory of 3172 5076 winver.exe msedge.exe PID 5076 wrote to memory of 2104 5076 winver.exe b5b256bfc52004916f9cc8706b41de76a3a4ddebd5957b6088c5f69a77017a79.exe PID 5076 wrote to memory of 2112 5076 winver.exe msedge.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b5b256bfc52004916f9cc8706b41de76a3a4ddebd5957b6088c5f69a77017a79.exe"C:\Users\Admin\AppData\Local\Temp\b5b256bfc52004916f9cc8706b41de76a3a4ddebd5957b6088c5f69a77017a79.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffe57e72e98,0x7ffe57e72ea4,0x7ffe57e72eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2280 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2328 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2472 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5232 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5540 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5cfd47abde5f4a8bc6f16d356759a0e69
SHA10e417d7feb14287c26958287f5d3009b27213583
SHA256826f76218e16210229aa08fe707e91acacede8beaf91a43264be27bf72f9606b
SHA512051121d4a290cad0f2e32edf9c19514727a8103e71b818c600f5e67fc2c6b1ed449c52f5597de65c614eae4a3c06508e695548ca33cf1a3424c715c8443a18b8
-
memory/2104-2-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/2104-1-0x0000000004630000-0x0000000004C88000-memory.dmpFilesize
6.3MB
-
memory/2104-9-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2104-23-0x0000000004630000-0x0000000004C88000-memory.dmpFilesize
6.3MB
-
memory/2460-28-0x0000000000B40000-0x0000000000B46000-memory.dmpFilesize
24KB
-
memory/2460-10-0x0000000000B40000-0x0000000000B46000-memory.dmpFilesize
24KB
-
memory/2508-11-0x0000000000AE0000-0x0000000000AE6000-memory.dmpFilesize
24KB
-
memory/2508-27-0x0000000000AE0000-0x0000000000AE6000-memory.dmpFilesize
24KB
-
memory/2632-26-0x0000000000BE0000-0x0000000000BE6000-memory.dmpFilesize
24KB
-
memory/2632-12-0x0000000000BE0000-0x0000000000BE6000-memory.dmpFilesize
24KB
-
memory/3124-30-0x0000000000570000-0x0000000000576000-memory.dmpFilesize
24KB
-
memory/3124-21-0x0000000000570000-0x0000000000576000-memory.dmpFilesize
24KB
-
memory/3364-24-0x00000000009E0000-0x00000000009E6000-memory.dmpFilesize
24KB
-
memory/3364-7-0x00000000009D0000-0x00000000009D6000-memory.dmpFilesize
24KB
-
memory/3364-13-0x00000000009E0000-0x00000000009E6000-memory.dmpFilesize
24KB
-
memory/3364-4-0x00000000009D0000-0x00000000009D6000-memory.dmpFilesize
24KB
-
memory/3544-14-0x0000000000800000-0x0000000000806000-memory.dmpFilesize
24KB
-
memory/3544-33-0x0000000000800000-0x0000000000806000-memory.dmpFilesize
24KB
-
memory/3716-15-0x0000000000270000-0x0000000000276000-memory.dmpFilesize
24KB
-
memory/3716-25-0x0000000000270000-0x0000000000276000-memory.dmpFilesize
24KB
-
memory/3816-16-0x0000000000DC0000-0x0000000000DC6000-memory.dmpFilesize
24KB
-
memory/3816-34-0x0000000000DC0000-0x0000000000DC6000-memory.dmpFilesize
24KB
-
memory/3848-19-0x00000000006A0000-0x00000000006A6000-memory.dmpFilesize
24KB
-
memory/3848-31-0x00000000006A0000-0x00000000006A6000-memory.dmpFilesize
24KB
-
memory/3920-32-0x00000000006E0000-0x00000000006E6000-memory.dmpFilesize
24KB
-
memory/3920-17-0x00000000006E0000-0x00000000006E6000-memory.dmpFilesize
24KB
-
memory/4008-18-0x0000000000FB0000-0x0000000000FB6000-memory.dmpFilesize
24KB
-
memory/4360-20-0x00000000002C0000-0x00000000002C6000-memory.dmpFilesize
24KB
-
memory/4360-29-0x00000000002C0000-0x00000000002C6000-memory.dmpFilesize
24KB
-
memory/5076-5-0x0000000000E50000-0x0000000000E56000-memory.dmpFilesize
24KB
-
memory/5076-22-0x0000000002400000-0x0000000002406000-memory.dmpFilesize
24KB
-
memory/5076-36-0x0000000002400000-0x0000000002406000-memory.dmpFilesize
24KB