Task
task1
Task
task2
General
-
Target
Exes_5b4bd24d6240f467bfbc74803c9f15b0.exe
-
Sample
190812-6hhsasq4da
-
SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e
Score
N/A
Malware Config
Signatures
-
Suspicious registry modification 5 IoCs
description \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475 = 2f00000000000000040004000102050000000000020000006b507e005b000000a19f5e0002000000e6c5310016000000f7d36f0004000000fed37a00030001000000cb00000056737d00090000006b507e0009000000e6c531000100040000000500000087de8300010065000000d8020000e6c5310001009700000037000000a2050600 -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 3660 wrote to memory of 3896 3896 Process not Found -
Suspicious use of WriteProcessMemory 1 TTPs 4 IoCs
description pid Process PID 3896 wrote to memory of 3944 3944 Process not Found PID 3896 wrote to memory of 2608 2608 Process not Found PID 3896 wrote to memory of 3296 3296 Process not Found PID 3896 wrote to memory of 3276 3276 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeDebugPrivilege -
Suspicious behavior: EnumeratesProcesses
-
powershell_execpolicy 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeDebugPrivilege -
Suspicious behavior: EnumeratesProcesses
-
powershell_execpolicy 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 2608 wrote to memory of 3088 3088 Process not Found -
Suspicious registry modification 2 IoCs
description \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr = "1" -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeDebugPrivilege -
Suspicious behavior: EnumeratesProcesses