Overview

overview

10

Static

static

3

weave.exe

windows7-x64

10

weave.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 05:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    weave.exe

  • Size

    3.4MB

  • MD5

    19eeb3ce01f40894ced6065215d7a666

  • SHA1

    6da9fb24f7560284219c0aa42134be3d76615c7c

  • SHA256

    2c80f72b0be446e73b7f8f7e660750d8147a527b3e0c1316c2ddadc708e783c3

  • SHA512

    9ad07ec548303e7d2db20093441710f4a08725ccc2365904ab3ef670a174030733409a4b22324eece2ba472354c32ad34bd96fb9cc095696a84caac70f0ef801

  • SSDEEP

    49152:12quZB3Lyy3ok0xaAmNu2WsgAbfjHsKTJ4Nz9kP93s8+g/l7mKyftvzQBNomC6H:IHX3LyC0L7AbfjJT/l7byV4NJH

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\weave.exe
    "C:\Users\Admin\AppData\Local\Temp\weave.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\WinruntimeBrokerDll\GMEFyNcoiNG60wEpcxyNZ4Di23KQc0kfLK4aF.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\WinruntimeBrokerDll\ItjtUdx3t6H3YIR9PpTLl9BZRrl4Oo9QIKh5ZNyZ.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\WinruntimeBrokerDll\AgentfontPerfNet.exe
          "C:\WinruntimeBrokerDll/AgentfontPerfNet.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kfknvygj\kfknvygj.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF21C.tmp" "c:\Windows\System32\CSCED54AA3A2DE54012A88B6B65842BEE3.TMP"
              6⤵
                PID:1272
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HMHbUQGdDq.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1852
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:948
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:1524
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2704
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:320
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2668
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2032
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2936
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1224
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2684
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2532
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2160
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "AgentfontPerfNetA" /sc MINUTE /mo 8 /tr "'C:\WinruntimeBrokerDll\AgentfontPerfNet.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "AgentfontPerfNet" /sc ONLOGON /tr "'C:\WinruntimeBrokerDll\AgentfontPerfNet.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:696
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "AgentfontPerfNetA" /sc MINUTE /mo 7 /tr "'C:\WinruntimeBrokerDll\AgentfontPerfNet.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2960

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\HMHbUQGdDq.bat
          Filesize

          216B

          MD5

          6f259d4b104058e85227593ddcf64539

          SHA1

          e72867c27825fffc99b9f2052703cf73a5472122

          SHA256

          57bf429d70abdefb06d45dbbc71c4f139b48d53298ef1c996627c4e759621359

          SHA512

          f8d4af23ec1e064407f608d5708ff1894cfd550ee33bdf3e906f6683466c4648cbfe2349fc7bd76cf64e47ce06c557067d0d2fab4646d81f0641e20d389f6d3e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESF21C.tmp
          Filesize

          1KB

          MD5

          32812b1b3e3a13370d4c0376d041d34b

          SHA1

          89f8dc821847a48eb4866e2eefdff66b7c592b6b

          SHA256

          6b1c7d082adc67c65a863f63aa433d65ae2bcfc3f0174bbd33322cc2412b3a58

          SHA512

          979715974d891f7c18e4fcdb02620119220242933e13b327d3c66ac4bdf0f61df70a5df2070323a30b5c0935f6b33900a8cd5d4b5782c11591b1ebd6ddf5ec7f

          Download Submit

        • C:\WinruntimeBrokerDll\GMEFyNcoiNG60wEpcxyNZ4Di23KQc0kfLK4aF.vbe
          Filesize

          238B

          MD5

          f8551118abe74fa67b41749a29f8f542

          SHA1

          18bb595f0e378727ddd92be510a211759b9ce3fc

          SHA256

          48bb9ca4e442369517cb8a87fc02736c3ea5e02893a3f3126037eced0e192e16

          SHA512

          c7cff3de9ad46e125ab2d6714995cf4310b178cc781f42b700fb0b54ec160701af1e99760624910ccf50c96f5efdc5d3a7bb00d3af7731a0e2f898f9db3a3864

          Download Submit

        • C:\WinruntimeBrokerDll\ItjtUdx3t6H3YIR9PpTLl9BZRrl4Oo9QIKh5ZNyZ.bat
          Filesize

          95B

          MD5

          14299ac4bcd55335ed78d9f3a839983c

          SHA1

          8519353b52599850456783e3419d132648be6ed6

          SHA256

          ea7785252e31c7332d0baa4939895f66335d0fd638cec14ac834f42f4c65b4d3

          SHA512

          93c5a6975a14a2a76ee9b9fd1452017b4fa7f4f70d01ce140976a9f1c44e6a44c640003209ee7d819351d9b37172cb21990bd7e15bc95024d7aedf0520c4b16e

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\kfknvygj\kfknvygj.0.cs
          Filesize

          372B

          MD5

          44787bf4cdba34b4460a87b48fe0d778

          SHA1

          5f024199b1250899dcb61ba410dd71968fd404b3

          SHA256

          e71d7e627f9395e9ee69142bb992828ae9fa220c73fd58af2caa13262ac2851b

          SHA512

          d91c84b9b6f5be9fe2d0efea9abf912f7bd10de39ac56b4cfdbd43a9b680b2cb430dc8938ae592be514534987c3902affcdc63a8b97ac3b2e932ab601451bd47

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\kfknvygj\kfknvygj.cmdline
          Filesize

          235B

          MD5

          1f2a43295bfad2e2d391b51c333ceb3a

          SHA1

          1d5ebb3402a61311889221fc81ba2799db26c500

          SHA256

          5bd80b64eda4d2d2978e83c0365e1132135403ba8cafb4f94d91fd3fd95e889f

          SHA512

          5196389fd5ee464c8a7491851c069dc82eb31f56d877d31e7bd3664ca5be14c48265a1b00b92f545fc715040add24d8ae56be6ef337e46abd75027ed4c55c9ee

          Download Submit

        • \??\c:\Windows\System32\CSCED54AA3A2DE54012A88B6B65842BEE3.TMP
          Filesize

          1KB

          MD5

          ef16d909708ebcc07bccd69660031f0b

          SHA1

          28b9075bca06663bb7cef64bef575def9aa18215

          SHA256

          3891157da8786a83f294cd18cd081cf46d83c15d828d80201f33092663b1d1b3

          SHA512

          2bb0b8776ef77143a4a3f21afaf2ffe665cc6d182772eab90621d8a7f8cad13aefc3b8e3484e53196d19041349bab209d64f1a90fa32a02767c4f6b36146ccf3

          Download Submit

        • \WinruntimeBrokerDll\AgentfontPerfNet.exe
          Filesize

          1.9MB

          MD5

          f9779f2d70e9974ff41e46a914d7d238

          SHA1

          ab332ae513b0170e88c0bd7d2b6664d9e8d55c8d

          SHA256

          c901beb42e1372c73cdf25cab74e1aba0e57b51608ed8d014160df2ead86626f

          SHA512

          19b386fd62677341eeaa5812d9d77ca40c4d9497a23c954496ccb659266528de68161ce198f7b5024f2626b435c71c2e53a8d46d075528f357d5af04d26a8cdf

          Download Submit

        • memory/2152-0-0x0000000001390000-0x00000000017E8000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/2152-9-0x0000000001390000-0x00000000017E8000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/2848-24-0x0000000000390000-0x000000000039E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2848-22-0x00000000003D0000-0x00000000003E8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2848-26-0x00000000003A0000-0x00000000003AE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2848-28-0x00000000003F0000-0x00000000003FC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2848-20-0x00000000003B0000-0x00000000003CC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2848-18-0x0000000000380000-0x000000000038E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2848-16-0x0000000000F20000-0x0000000001110000-memory.dmp

          Filesize

          1.9MB

          Download