Analysis
-
max time kernel
146s -
resource
win7v191014 -
submitted
27-01-2020 17:35
Task
task1
Sample
444444.exe
Resource
win7v191014
0 signatures
General
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
lvmaa.exelvmaa.exelvmaa.exelvmaa.exepid process 1096 lvmaa.exe 1916 lvmaa.exe 1964 lvmaa.exe 188 lvmaa.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
lvmaa.exepid process 1096 lvmaa.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
444444.exe444444.exelvmaa.exelvmaa.exeexplorer.exe444444.exelvmaa.exelvmaa.exepid process 1448 444444.exe 1596 444444.exe 1096 lvmaa.exe 1916 lvmaa.exe 1996 explorer.exe 768 444444.exe 1964 lvmaa.exe 188 lvmaa.exe -
Loads dropped DLL 1 IoCs
Processes:
444444.exepid process 1448 444444.exe -
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" reg.exe -
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg = "0" reg.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\ukjluy = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Shsfzaefg\\lvmaa.exe\"" explorer.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
444444.exelvmaa.exetaskeng.exe444444.exelvmaa.exedescription pid process target process PID 1448 wrote to memory of 1596 1448 444444.exe 444444.exe PID 1448 wrote to memory of 1096 1448 444444.exe lvmaa.exe PID 1096 wrote to memory of 1916 1096 lvmaa.exe lvmaa.exe PID 1448 wrote to memory of 1824 1448 444444.exe schtasks.exe PID 1096 wrote to memory of 1996 1096 lvmaa.exe explorer.exe PID 1264 wrote to memory of 768 1264 taskeng.exe 444444.exe PID 768 wrote to memory of 1752 768 444444.exe reg.exe PID 768 wrote to memory of 1660 768 444444.exe reg.exe PID 768 wrote to memory of 1788 768 444444.exe reg.exe PID 768 wrote to memory of 608 768 444444.exe reg.exe PID 768 wrote to memory of 568 768 444444.exe reg.exe PID 768 wrote to memory of 1132 768 444444.exe reg.exe PID 768 wrote to memory of 1884 768 444444.exe reg.exe PID 768 wrote to memory of 548 768 444444.exe reg.exe PID 768 wrote to memory of 684 768 444444.exe reg.exe PID 768 wrote to memory of 1964 768 444444.exe lvmaa.exe PID 1964 wrote to memory of 188 1964 lvmaa.exe lvmaa.exe PID 768 wrote to memory of 1184 768 444444.exe cmd.exe PID 768 wrote to memory of 1908 768 444444.exe schtasks.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\444444.exe"C:\Users\Admin\AppData\Local\Temp\444444.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\444444.exeC:\Users\Admin\AppData\Local\Temp\444444.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exeC:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exeC:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wkaaitss /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.exe\" /I wkaaitss" /SC ONCE /Z /ST 18:37 /ET 18:492⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {D2250D74-C72A-4B19-998D-EF6BE86000CC} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\444444.exeC:\Users\Admin\AppData\Local\Temp\444444.exe /I wkaaitss2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turn off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg" /d "0"3⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exeC:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exeC:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe /C4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\444444.exe"3⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN wkaaitss3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Shsfzaefg\lvmaa.exe
-
memory/188-9-0x0000000002300000-0x0000000002311000-memory.dmpFilesize
68KB
-
memory/1096-5-0x0000000000470000-0x00000000004AB000-memory.dmpFilesize
236KB
-
memory/1596-0-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/1916-4-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB