Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
29-05-2020 11:13
Static task
static1
Behavioral task
behavioral1
Sample
1003.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1003.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
1003.exe
-
Size
255KB
-
MD5
0246bb54723bd4a49444aa4ca254845a
-
SHA1
151382e82fbcfdf188b347911bd6a34293c14878
-
SHA256
8cf50ae247445de2e570f19705236ed4b1e19f75ca15345e5f00857243bc0e9b
-
SHA512
8b920699602ad00015ececf7f58a181e311a6726aece237de86fcc455d0e6fcb587fe46f6ef2e86a34fe1c52d835c5e2a547874a7906315247f07daa30e4323a
Score
8/10
Malware Config
Signatures
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1048 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
1003.exetaskkill.exeE25D2A1F72.exedescription pid process Token: SeDebugPrivilege 1092 1003.exe Token: SeDebugPrivilege 1048 taskkill.exe Token: SeDebugPrivilege 748 E25D2A1F72.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1003.exedescription pid process target process PID 1092 wrote to memory of 748 1092 1003.exe E25D2A1F72.exe PID 1092 wrote to memory of 748 1092 1003.exe E25D2A1F72.exe PID 1092 wrote to memory of 748 1092 1003.exe E25D2A1F72.exe PID 1092 wrote to memory of 1048 1092 1003.exe taskkill.exe PID 1092 wrote to memory of 1048 1092 1003.exe taskkill.exe PID 1092 wrote to memory of 1048 1092 1003.exe taskkill.exe -
Executes dropped EXE 1 IoCs
Processes:
E25D2A1F72.exepid process 748 E25D2A1F72.exe -
Adds Run entry to start application 2 TTPs 4 IoCs
Processes:
1003.exeE25D2A1F72.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\E25D2A1F72 = "C:\\Users\\Admin\\AppData\\Roaming\\E25D2A1F72.exe" 1003.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*E25D2A1F72 = "C:\\Users\\Admin\\AppData\\Roaming\\E25D2A1F72.exe" 1003.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\E25D2A1F72 = "C:\\Users\\Admin\\AppData\\Roaming\\E25D2A1F72.exe" E25D2A1F72.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*E25D2A1F72 = "C:\\Users\\Admin\\AppData\\Roaming\\E25D2A1F72.exe" E25D2A1F72.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1003.exe"C:\Users\Admin\AppData\Local\Temp\1003.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
-
C:\Users\Admin\AppData\Roaming\E25D2A1F72.exe"C:\Users\Admin\AppData\Roaming\E25D2A1F72.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Adds Run entry to start application
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM 1003.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken