14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

Analysis

max time kernel
60s

Sharing

Copy URL

Twitter E-mail

General

Target

Exes_5b4bd24d6240f467bfbc74803c9f15b0.exe
Sample

190812-6hhsasq4da
SHA256

14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

Score

N/A

Malware Config

Signatures

Suspicious registry modification 2 IoCs

description
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 2012 wrote to memory of 856	856	Process not Found

Suspicious use of WriteProcessMemory 1 TTPs 4 IoCs

Process Injection

T1055

description	pid	Process
PID 856 wrote to memory of 928	928	Process not Found
PID 856 wrote to memory of 1956	1956	Process not Found
PID 856 wrote to memory of 1324	1324	Process not Found
PID 856 wrote to memory of 876	876	Process not Found

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeDebugPrivilege

Suspicious behavior: EnumeratesProcesses
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
powershell_execpolicy 1 TTPs

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeDebugPrivilege

Suspicious behavior: EnumeratesProcesses
Loads dropped DLL 1 TTPs

Shared Modules
T1129
powershell_execpolicy 1 TTPs

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 1956 wrote to memory of 1796	1796	Process not Found

Suspicious registry modification 2 IoCs

description
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"
\REGISTRY\USER\S-1-5-21-3740240129-2853759884-3633044100-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr = "1"

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeDebugPrivilege

Suspicious behavior: EnumeratesProcesses
Deletes itself 1 TTPs
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 2 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\358-0\System.Management.Automation.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ed18cbebc219551b9c8751127acc37ae\System.Management.Automation.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Analysis

Sharing

General

Malware Config

Signatures

Processes