Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 23:58
Behavioral task
behavioral1
Sample
3269b681ee1b6f8e489ab1725edfc810N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3269b681ee1b6f8e489ab1725edfc810N.exe
Resource
win10v2004-20240709-en
General
-
Target
3269b681ee1b6f8e489ab1725edfc810N.exe
-
Size
45KB
-
MD5
3269b681ee1b6f8e489ab1725edfc810
-
SHA1
3c08e612a160e88bc52533ba365b28b5b7774b14
-
SHA256
1222699a8e4b76b05652a522b62fa37f47d9b4662b3e4e1e3cf7b01e93d92376
-
SHA512
15a1b32bde51cc1371933cca3fd1cd355414c2a8c7a905c8aab769af2495d368cbdae49dd77f4b0fca46e0fa5b20ec0104b4dc2f519449eb85f21c05c9597cf3
-
SSDEEP
768:VhP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:HsWE9N5dFu53dsniQaB/xZ14n7zIF+qr
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4688-0-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6BF3AF52 = "C:\\Users\\Admin\\AppData\\Roaming\\6BF3AF52\\bin.exe" winver.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3552 4704 WerFault.exe winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winver.exepid process 4704 winver.exe 4704 winver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3384 Explorer.EXE Token: SeCreatePagefilePrivilege 3384 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 4704 winver.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3384 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3269b681ee1b6f8e489ab1725edfc810N.exewinver.exedescription pid process target process PID 4688 wrote to memory of 4704 4688 3269b681ee1b6f8e489ab1725edfc810N.exe winver.exe PID 4688 wrote to memory of 4704 4688 3269b681ee1b6f8e489ab1725edfc810N.exe winver.exe PID 4688 wrote to memory of 4704 4688 3269b681ee1b6f8e489ab1725edfc810N.exe winver.exe PID 4688 wrote to memory of 4704 4688 3269b681ee1b6f8e489ab1725edfc810N.exe winver.exe PID 4704 wrote to memory of 3384 4704 winver.exe Explorer.EXE PID 4704 wrote to memory of 2624 4704 winver.exe sihost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\3269b681ee1b6f8e489ab1725edfc810N.exe"C:\Users\Admin\AppData\Local\Temp\3269b681ee1b6f8e489ab1725edfc810N.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4704 -ip 47041⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2624-16-0x0000000000F80000-0x0000000000F86000-memory.dmpFilesize
24KB
-
memory/2624-19-0x00007FF887B30000-0x00007FF887B31000-memory.dmpFilesize
4KB
-
memory/3384-9-0x00007FF887B40000-0x00007FF887B41000-memory.dmpFilesize
4KB
-
memory/3384-3-0x0000000000CF0000-0x0000000000CF6000-memory.dmpFilesize
24KB
-
memory/3384-7-0x00007FF8879AD000-0x00007FF8879AE000-memory.dmpFilesize
4KB
-
memory/3384-2-0x0000000000CF0000-0x0000000000CF6000-memory.dmpFilesize
24KB
-
memory/4688-4-0x0000000002280000-0x0000000002C80000-memory.dmpFilesize
10.0MB
-
memory/4688-0-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4688-11-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4688-12-0x0000000002280000-0x0000000002C80000-memory.dmpFilesize
10.0MB
-
memory/4688-1-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/4704-6-0x0000000077312000-0x0000000077313000-memory.dmpFilesize
4KB
-
memory/4704-5-0x0000000000910000-0x0000000000916000-memory.dmpFilesize
24KB
-
memory/4704-8-0x00007FF887910000-0x00007FF887B05000-memory.dmpFilesize
2.0MB
-
memory/4704-17-0x0000000000910000-0x0000000000916000-memory.dmpFilesize
24KB