Analysis
-
max time kernel
8s -
max time network
152s -
resource
win10v191014
Task
task1
Sample
8b077ae5dc7f9546bca05fb992f710633571e191758077933c547537f4eaa4d8.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
8b077ae5dc7f9546bca05fb992f710633571e191758077933c547537f4eaa4d8.exe
Resource
win10v191014
0 signatures
General
-
Target
8b077ae5dc7f9546bca05fb992f710633571e191758077933c547537f4eaa4d8
-
Sample
191025-gwmgecpxns
-
SHA256
8b077ae5dc7f9546bca05fb992f710633571e191758077933c547537f4eaa4d8
Score
N/A
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 1 IoCs
Processes:
SppExtComObj.exedescription pid process target process PID 5020 wrote to memory of 5052 5020 SppExtComObj.exe SLUI.exe -
Accessing to Master Boot Record (MBR) 1 TTPs 1 IoCs
Processes:
8b077ae5dc7f9546bca05fb992f710633571e191758077933c547537f4eaa4d8.exedescription ioc pid process File opened for modification \??\PHYSICALDRIVE0 4864 8b077ae5dc7f9546bca05fb992f710633571e191758077933c547537f4eaa4d8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8b077ae5dc7f9546bca05fb992f710633571e191758077933c547537f4eaa4d8.exedescription pid process Token: SeShutdownPrivilege 4864 8b077ae5dc7f9546bca05fb992f710633571e191758077933c547537f4eaa4d8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b077ae5dc7f9546bca05fb992f710633571e191758077933c547537f4eaa4d8.exe"C:\Users\Admin\AppData\Local\Temp\8b077ae5dc7f9546bca05fb992f710633571e191758077933c547537f4eaa4d8.exe"1⤵
- Accessing to Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:5020
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:5052
Network
MITRE ATT&CK Additional techniques
- T1067