Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • resource
    win7v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082

  • Sample

    191025-1blc144gba

  • SHA256

    a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082

Score
N/A

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 8 IoCs
  • Drops file in system dir 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs 26 IoCs
    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Loads dropped DLL 5 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Executes dropped EXE 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe
    "C:\Users\Admin\AppData\Local\Temp\a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetThreadContext
    PID:1560
  • C:\Users\Admin\AppData\Local\Temp\a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe
    "C:\Users\Admin\AppData\Local\Temp\a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    PID:1048
  • C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetThreadContext
    • Executes dropped EXE
    PID:1164
  • C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    PID:804
  • C:\Windows\system32\svchost.exe
    svchost.exe
    1⤵
    • Uses Task Scheduler COM API
    • Suspicious use of AdjustPrivilegeToken
    • Windows security bypass
    PID:1408
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {4D2D170B-D071-449D-B167-3B8D77EF3994} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2032
  • C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops file in system dir
    • Loads dropped DLL
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetThreadContext
    • Executes dropped EXE
    PID:1964
  • C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    PID:1796
  • C:\Windows\system32\svchost.exe
    svchost.exe
    1⤵
    • Uses Task Scheduler COM API
    • Windows security bypass
    PID:1076
  • C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    1⤵
    • Drops file in system dir
    • Loads dropped DLL
    • Executes dropped EXE
    PID:388

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

  • T1089

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NP
    Download Submit

  • C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    Download Submit

  • C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    Download Submit

  • C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    Download Submit

  • C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    Download Submit

  • C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    Download Submit

  • C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    Download Submit

  • C:\Windows\TEMP\NP
    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsu557F.tmp\System.dll
    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsv846C.tmp\System.dll
    Download Submit

  • \Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
    Download Submit

  • \Windows\Temp\nsa89F7.tmp\System.dll
    Download Submit

  • \Windows\Temp\nsl8D80.tmp\System.dll
    Download Submit

  • memory/1048-2-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1048-1-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1408-9-0x0000000140000000-0x0000000140022000-memory.dmp

    Filesize

    136KB

    Download