Analysis
-
max time kernel
56s -
max time network
57s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
31-05-2020 03:14
Static task
static1
Behavioral task
behavioral1
Sample
321.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
321.exe
-
Size
1.1MB
-
MD5
621368f070a43b2b353275cc2c1d2a85
-
SHA1
5b771da14373fd6fabde3ee3055717040929853d
-
SHA256
83d04e3ac2a116805cee01f0882b7745a94d11d27a1041d80db1e40ae6f54b9e
-
SHA512
d1174e670b403e618e5f5b898164bec4f818b58a1733ce9a93b61fd1593f67448660fbc13335e42779c037ea24d9ea4cabfdc9d29f87ff004c489ba93136aea1
Score
7/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
321.exedescription pid process target process PID 3824 wrote to memory of 520 3824 321.exe RegAsm.exe PID 3824 wrote to memory of 520 3824 321.exe RegAsm.exe PID 3824 wrote to memory of 520 3824 321.exe RegAsm.exe PID 3824 wrote to memory of 520 3824 321.exe RegAsm.exe PID 3824 wrote to memory of 520 3824 321.exe RegAsm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
321.exepid process 3824 321.exe 3824 321.exe 3824 321.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
321.exepid process 3824 321.exe 3824 321.exe 3824 321.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
321.exedescription pid process target process PID 3824 set thread context of 520 3824 321.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 520 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
RegAsm.exepid process 520 RegAsm.exe 520 RegAsm.exe 520 RegAsm.exe 520 RegAsm.exe 520 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\321.exe"C:\Users\Admin\AppData\Local\Temp\321.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/520-0-0x0000000000560000-0x0000000000572000-memory.dmpFilesize
72KB