Analysis
-
max time kernel
118s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2024 04:52
Static task
static1
Behavioral task
behavioral1
Sample
85d4c08f11644f140e799ad3e4334820N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
85d4c08f11644f140e799ad3e4334820N.exe
Resource
win10v2004-20240709-en
General
-
Target
85d4c08f11644f140e799ad3e4334820N.exe
-
Size
225KB
-
MD5
85d4c08f11644f140e799ad3e4334820
-
SHA1
32560142b603b7633aa8822a445fb710f2619b67
-
SHA256
3ef01dd76204678308f6e001dc14bf7892f6582ac0255f30e77929c359f8b608
-
SHA512
1db90db0497d06fc5739b4742d3c222622ea7c118b0c29a84fed925042c825626c9f3e6e9ff2a2d8061eb4fa8877fbc2a6dd8fc3277378ee5d5560864d049eec
-
SSDEEP
6144:PA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:PATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4356 3916 WerFault.exe winver.exe 4264 4524 WerFault.exe 85d4c08f11644f140e799ad3e4334820N.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Modifies registry class 1 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
winver.exeExplorer.EXE85d4c08f11644f140e799ad3e4334820N.exepid process 3916 winver.exe 3520 Explorer.EXE 3520 Explorer.EXE 4524 85d4c08f11644f140e799ad3e4334820N.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3520 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
85d4c08f11644f140e799ad3e4334820N.exewinver.exedescription pid process target process PID 4524 wrote to memory of 3916 4524 85d4c08f11644f140e799ad3e4334820N.exe winver.exe PID 4524 wrote to memory of 3916 4524 85d4c08f11644f140e799ad3e4334820N.exe winver.exe PID 4524 wrote to memory of 3916 4524 85d4c08f11644f140e799ad3e4334820N.exe winver.exe PID 4524 wrote to memory of 3916 4524 85d4c08f11644f140e799ad3e4334820N.exe winver.exe PID 3916 wrote to memory of 3520 3916 winver.exe Explorer.EXE PID 4524 wrote to memory of 3520 4524 85d4c08f11644f140e799ad3e4334820N.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\85d4c08f11644f140e799ad3e4334820N.exe"C:\Users\Admin\AppData\Local\Temp\85d4c08f11644f140e799ad3e4334820N.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 3004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 7723⤵
- Program crash
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3916 -ip 39161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4524 -ip 45241⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3520-4-0x00000000007B0000-0x00000000007B6000-memory.dmpFilesize
24KB
-
memory/3520-5-0x00000000007B0000-0x00000000007B6000-memory.dmpFilesize
24KB
-
memory/3520-9-0x0000000002B60000-0x0000000002B66000-memory.dmpFilesize
24KB
-
memory/4524-1-0x0000000004670000-0x0000000004CC8000-memory.dmpFilesize
6.3MB
-
memory/4524-2-0x00000000045F0000-0x00000000045F1000-memory.dmpFilesize
4KB
-
memory/4524-6-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4524-12-0x0000000004670000-0x0000000004CC8000-memory.dmpFilesize
6.3MB