22503a27c8bd1299e67f484b0c750276323d5a97b9dd45e1da7a935fe377ec1e

Analysis

max time kernel
151s
max time network
151s
platform
windows10_x64
resource
win10v200217
submitted
10-03-2020 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fallen.exe
Size

11KB
MD5

1423f94092ba6a80ec571748e08d396e
SHA1

3839e76d9f01f9a92304cab21aa130f5800f71d2
SHA256

f595233fa17f4f280bd88b012419652b8d11f086ccc497ab5c796eba39498e60
SHA512

197fb512e2ee4d4cd3bf499e70a1ffda8e107efc6e6a354622448b7dac575701d6f2288df97db568df7e27e780750bc4c3337ffc869adffbd21b013c69aba18f

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Server.exe

pid process

1996 Server.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Fallen.exe

pid process

3792 Fallen.exe
Drops file in Windows directory 2 IoCs

Processes:

Fallen.exe

description ioc process

File created C:\Windows\Server.exe Fallen.exe
File opened for modification C:\Windows\Server.exe Fallen.exe

pid	process
1996	Server.exe

pid	process
3792	Fallen.exe

description	ioc	process
File created	C:\Windows\Server.exe	Fallen.exe
File opened for modification	C:\Windows\Server.exe	Fallen.exe

Modifies service 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

Fallen.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Vwxyab Defghijk Mno\Description = "Vwxyab Defghijk Mnopqrst Vwxy"	Fallen.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Server.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Server.exe

C:\Users\Admin\AppData\Local\Temp\Fallen.exe
"C:\Users\Admin\AppData\Local\Temp\Fallen.exe"
1⤵
- Suspicious behavior: RenamesItself
- Drops file in Windows directory
- Modifies service
PID:3792

C:\Windows\Server.exe
C:\Windows\Server.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Server.exe

Download Submit
C:\Windows\Server.exe

Download Submit