14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

Analysis

max time kernel
59s

Sharing

Copy URL

Twitter E-mail

General

Target

Exes_5b4bd24d6240f467bfbc74803c9f15b0.exe
Sample

190812-rdzyrm5386
SHA256

14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

Score

N/A

Malware Config

Signatures

Suspicious registry modification 2 IoCs

description
\REGISTRY\USER\S-1-5-21-2035595487-2729879620-3668659499-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"
\REGISTRY\USER\S-1-5-21-2035595487-2729879620-3668659499-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 1620 wrote to memory of 1196	1196	Process not Found

Suspicious use of WriteProcessMemory 1 TTPs 4 IoCs

Process Injection

T1055

description	pid	Process
PID 1196 wrote to memory of 1216	1216	Process not Found
PID 1196 wrote to memory of 2036	2036	Process not Found
PID 1196 wrote to memory of 1468	1468	Process not Found
PID 1196 wrote to memory of 832	832	Process not Found

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeDebugPrivilege

Suspicious behavior: EnumeratesProcesses
Loads dropped DLL 1 TTPs

Shared Modules
T1129
powershell_execpolicy 1 TTPs

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeDebugPrivilege

Suspicious behavior: EnumeratesProcesses
powershell_execpolicy 1 TTPs

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 2036 wrote to memory of 1800	1800	Process not Found

Suspicious registry modification 2 IoCs

description
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"
\REGISTRY\USER\S-1-5-21-2035595487-2729879620-3668659499-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr = "1"

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeDebugPrivilege

Suspicious behavior: EnumeratesProcesses
Deletes itself 1 TTPs
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 1 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6c-0\Microsoft.PowerShell.Editor.dll

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Analysis

Sharing

General

Malware Config

Signatures

Processes