Analysis
-
max time kernel
118s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 02:07
Static task
static1
Behavioral task
behavioral1
Sample
261671551f4b2c549af30d3c9165ced0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
261671551f4b2c549af30d3c9165ced0N.exe
Resource
win10v2004-20240709-en
General
-
Target
261671551f4b2c549af30d3c9165ced0N.exe
-
Size
225KB
-
MD5
261671551f4b2c549af30d3c9165ced0
-
SHA1
af77c63ce9b6a83e4276aa81f1feb8d14a88b810
-
SHA256
fd60b3d45d3f37279dd1db72d4c74cc7bc5264189eaa60484b77bf5c881f4307
-
SHA512
c5ce800f855ad6a93223b164f66d144b7e9f155e8e332b912e0677406a5e49dcd3ff3de5a6487269adf2aaaa83bdb547ccb247253b2074981cf842510a67ac76
-
SSDEEP
6144:BA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:BATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3236 392 WerFault.exe winver.exe 2108 4504 WerFault.exe 261671551f4b2c549af30d3c9165ced0N.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
261671551f4b2c549af30d3c9165ced0N.exepid process 4504 261671551f4b2c549af30d3c9165ced0N.exe 4504 261671551f4b2c549af30d3c9165ced0N.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
winver.exe261671551f4b2c549af30d3c9165ced0N.exepid process 392 winver.exe 4504 261671551f4b2c549af30d3c9165ced0N.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3440 Explorer.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
261671551f4b2c549af30d3c9165ced0N.exewinver.exedescription pid process target process PID 4504 wrote to memory of 392 4504 261671551f4b2c549af30d3c9165ced0N.exe winver.exe PID 4504 wrote to memory of 392 4504 261671551f4b2c549af30d3c9165ced0N.exe winver.exe PID 4504 wrote to memory of 392 4504 261671551f4b2c549af30d3c9165ced0N.exe winver.exe PID 4504 wrote to memory of 392 4504 261671551f4b2c549af30d3c9165ced0N.exe winver.exe PID 392 wrote to memory of 3440 392 winver.exe Explorer.EXE PID 4504 wrote to memory of 3440 4504 261671551f4b2c549af30d3c9165ced0N.exe Explorer.EXE PID 4504 wrote to memory of 2696 4504 261671551f4b2c549af30d3c9165ced0N.exe sihost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\261671551f4b2c549af30d3c9165ced0N.exe"C:\Users\Admin\AppData\Local\Temp\261671551f4b2c549af30d3c9165ced0N.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 3004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 9523⤵
- Program crash
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 392 -ip 3921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4504 -ip 45041⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2696-13-0x00000000003E0000-0x00000000003E6000-memory.dmpFilesize
24KB
-
memory/2696-19-0x00000000003E0000-0x00000000003E6000-memory.dmpFilesize
24KB
-
memory/3440-4-0x00000000029D0000-0x00000000029D6000-memory.dmpFilesize
24KB
-
memory/3440-5-0x00000000029D0000-0x00000000029D6000-memory.dmpFilesize
24KB
-
memory/3440-11-0x00000000029E0000-0x00000000029E6000-memory.dmpFilesize
24KB
-
memory/4504-1-0x00000000045B0000-0x0000000004C08000-memory.dmpFilesize
6.3MB
-
memory/4504-2-0x0000000003D80000-0x0000000003D81000-memory.dmpFilesize
4KB
-
memory/4504-6-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4504-10-0x00000000057C0000-0x00000000061C0000-memory.dmpFilesize
10.0MB
-
memory/4504-14-0x00000000057C0000-0x00000000061C0000-memory.dmpFilesize
10.0MB
-
memory/4504-18-0x00000000045B0000-0x0000000004C08000-memory.dmpFilesize
6.3MB