Overview

overview

10

Static

static

5

78b1751491...98.exe

windows7_x64

10

78b1751491...98.exe

windows10_x64

7

Analysis

  • max time kernel
    128s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    29-06-2020 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78b1751491463b0d579eda079654d1dfb9296b98e2867b4fdc765256e5962398.exe

  • Size

    1.5MB

  • MD5

    edb8b19beede18b21ec7ebc847271fd1

  • SHA1

    8ec1c660059fc6a0571782fe17ed30787055b278

  • SHA256

    78b1751491463b0d579eda079654d1dfb9296b98e2867b4fdc765256e5962398

  • SHA512

    88197dc5f5480378481f0fc8165c051dc87148176fcae89a9367eaf004506d82755596f89c0d6fecbea5005301514caf507c1145edd9b657192258d10804e5c3

Score
7/10
persistence

Malware Config

Signatures

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78b1751491463b0d579eda079654d1dfb9296b98e2867b4fdc765256e5962398.exe
    "C:\Users\Admin\AppData\Local\Temp\78b1751491463b0d579eda079654d1dfb9296b98e2867b4fdc765256e5962398.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:3860
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 88
          3⤵
          • Program crash
          PID:3932

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3860-1-0x000000000048F888-mapping.dmp
      Download
    • memory/3932-2-0x0000000004E30000-0x0000000004E31000-memory.dmp
      Filesize

      4KB

      Download