Analysis
-
max time kernel
118s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 06:59
Static task
static1
Behavioral task
behavioral1
Sample
6886b964f5242f6f99d65f0bbd6ff660N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6886b964f5242f6f99d65f0bbd6ff660N.exe
Resource
win10v2004-20240709-en
General
-
Target
6886b964f5242f6f99d65f0bbd6ff660N.exe
-
Size
225KB
-
MD5
6886b964f5242f6f99d65f0bbd6ff660
-
SHA1
95056aa9c77ca91f64a31425f2c80766961b523d
-
SHA256
49fd87eb13c0773f3e50d5cf4a18938c3a1a36fcd6768b193b061e37390513b9
-
SHA512
ea667e9187d90a544e4df2262b500201c52e3ce0e7b23d91a99403723287d91ee8571a92e0ce4b6b04ecce37cadde1cc26ee01b7f748d5d5b2332c59918d41de
-
SSDEEP
6144:XA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:XATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2348 4588 WerFault.exe winver.exe 4164 4468 WerFault.exe 6886b964f5242f6f99d65f0bbd6ff660N.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3536 Explorer.EXE Token: SeCreatePagefilePrivilege 3536 Explorer.EXE Token: SeShutdownPrivilege 3536 Explorer.EXE Token: SeCreatePagefilePrivilege 3536 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
winver.exe6886b964f5242f6f99d65f0bbd6ff660N.exepid process 4588 winver.exe 4468 6886b964f5242f6f99d65f0bbd6ff660N.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3536 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6886b964f5242f6f99d65f0bbd6ff660N.exewinver.exedescription pid process target process PID 4468 wrote to memory of 4588 4468 6886b964f5242f6f99d65f0bbd6ff660N.exe winver.exe PID 4468 wrote to memory of 4588 4468 6886b964f5242f6f99d65f0bbd6ff660N.exe winver.exe PID 4468 wrote to memory of 4588 4468 6886b964f5242f6f99d65f0bbd6ff660N.exe winver.exe PID 4468 wrote to memory of 4588 4468 6886b964f5242f6f99d65f0bbd6ff660N.exe winver.exe PID 4588 wrote to memory of 3536 4588 winver.exe Explorer.EXE PID 4468 wrote to memory of 3536 4468 6886b964f5242f6f99d65f0bbd6ff660N.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\6886b964f5242f6f99d65f0bbd6ff660N.exe"C:\Users\Admin\AppData\Local\Temp\6886b964f5242f6f99d65f0bbd6ff660N.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 3004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 7723⤵
- Program crash
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4588 -ip 45881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4468 -ip 44681⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3536-4-0x0000000000F50000-0x0000000000F56000-memory.dmpFilesize
24KB
-
memory/3536-5-0x0000000000F50000-0x0000000000F56000-memory.dmpFilesize
24KB
-
memory/3536-10-0x0000000000FB0000-0x0000000000FB6000-memory.dmpFilesize
24KB
-
memory/4468-1-0x0000000004590000-0x0000000004BE8000-memory.dmpFilesize
6.3MB
-
memory/4468-2-0x0000000003D70000-0x0000000003D71000-memory.dmpFilesize
4KB
-
memory/4468-6-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4468-13-0x0000000004590000-0x0000000004BE8000-memory.dmpFilesize
6.3MB