Overview

overview

8

Static

static

DualShot.bin.exe

windows7_x64

DualShot.bin.exe

windows10_x64

Analysis

  • max time kernel
    83s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    07-06-2020 19:45

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    DualShot.bin.exe

  • Size

    18KB

  • MD5

    15c9143498141f0e29c2cc411c011649

  • SHA1

    1b511413cd5a3e18b56684c4c68723125b749e95

  • SHA256

    fed9e1bfcbd37a9f6df28c65adbb07ecc9745ed96a03ddaf3716d4324730b3df

  • SHA512

    562677945e922043bfaaa08b66229d4467428364db08c7eedd8f5817171e74d561e2d736e21bea2382dad9ec3a40b51973f51ed09285a35b2fd2d21f5dd995a5

Score
8/10
persistence

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DualShot.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\DualShot.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    PID:1432
    • C:\Users\Admin\AppData\Local\DSNWIN1377.exe
      "C:\Users\Admin\AppData\Local\DSNWIN1377.exe" /inin
      2⤵
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Adds Run entry to start application
      PID:544
      • C:\Windows\system32\shutdown.exe
        "shutdown" -r -t 60 -c "Please restart."
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1736
    • C:\Windows\system32\cmd.exe
      "cmd" /c choice /c Y /n /d Y /t 3 & del "C:\Users\Admin\AppData\Local\Temp\DualShot.bin.exe"
      2⤵
        PID:480
        • C:\Windows\system32\choice.exe
          choice /c Y /n /d Y /t 3
          3⤵
            PID:756
      • C:\Windows\system32\wlrmdr.exe
        -s -1 -f 2 -t You are about to be logged off -m Please restart. -a 3
        1⤵
          PID:1820
        • C:\Windows\system32\wlrmdr.exe
          -s -1 -f 2 -t You are about to be logged off -m Please restart. -a 3
          1⤵
            PID:880
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x0
            1⤵
              PID:1636
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x1
              1⤵
                PID:1912

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\DSNWIN1377.exe
                Download Submit
              • C:\Users\Admin\AppData\Local\DSNWIN1377.exe
                Download Submit
              • memory/1636-2-0x0000000002940000-0x0000000002941000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1636-3-0x0000000002940000-0x0000000002941000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1912-6-0x00000000027D0000-0x00000000027D1000-memory.dmp
                Filesize

                4KB

                Download