Overview

overview

9

task1

 

7

task2

 

9

Analysis

  • max time kernel
    142s
  • max time network
    143s
  • resource
    win7v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    222b2b80b21db2584d9cb51082f7eadf0bbf04bb2a555ef850391d62dd68d5d9

  • Sample

    191025-w35pvd2lbx

  • SHA256

    222b2b80b21db2584d9cb51082f7eadf0bbf04bb2a555ef850391d62dd68d5d9

Score
N/A

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Modifies control panel 2 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Drops Office document 20 IoCs
    dropperexploitermaldoc
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies Internet Explorer settings 1 TTPs 13 IoCs
    adwarespyware
  • Drops file in system dir 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\222b2b80b21db2584d9cb51082f7eadf0bbf04bb2a555ef850391d62dd68d5d9.exe
    "C:\Users\Admin\AppData\Local\Temp\222b2b80b21db2584d9cb51082f7eadf0bbf04bb2a555ef850391d62dd68d5d9.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies control panel
    • Suspicious use of WriteProcessMemory
    • Drops Office document
    • Sets desktop wallpaper using registry
    PID:1468
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1844
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {08E52B89-F93E-44D6-B791-F2B294F9AA76} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
      PID:2016
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ykcol.htm
      1⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of FindShellTrayWindow
      • Modifies Internet Explorer settings
      PID:2044
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Drops file in system dir
      PID:1852
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:275457 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Modifies Internet Explorer settings
      PID:268
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\222b2b80b21db2584d9cb51082f7eadf0bbf04bb2a555ef850391d62dd68d5d9.exe"
      1⤵
      • Deletes itself
      PID:2012
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "-1010190574-19306643031201772696-479661271629380329-88839335-56182350-1854666663"
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:576

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads