Task
task1
Task
task2
General
-
Target
Exes_5b4bd24d6240f467bfbc74803c9f15b0.exe
-
Sample
190812-ley7gjfcrn
-
SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e
Score
N/A
Malware Config
Signatures
-
Suspicious registry modification 5 IoCs
description \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475 = 2f00000000000000040004000102050000000000020000006b507e005b000000a19f5e0002000000e6c5310016000000f7d36f0004000000fed37a00030001000000cb00000056737d00090000006b507e0009000000e6c531000100040000000500000087de8300010065000000d8020000e6c5310001009700000037000000a2050600 -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 1328 wrote to memory of 3964 3964 Process not Found -
Suspicious use of WriteProcessMemory 1 TTPs 4 IoCs
description pid Process PID 3964 wrote to memory of 348 348 Process not Found PID 3964 wrote to memory of 2644 2644 Process not Found PID 3964 wrote to memory of 3204 3204 Process not Found PID 3964 wrote to memory of 3632 3632 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeDebugPrivilege -
Suspicious behavior: EnumeratesProcesses
-
powershell_execpolicy 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeDebugPrivilege -
Suspicious behavior: EnumeratesProcesses
-
powershell_execpolicy 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 2644 wrote to memory of 3304 3304 Process not Found -
Suspicious registry modification 2 IoCs
description \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr = "1" -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeDebugPrivilege -
Suspicious behavior: EnumeratesProcesses