489d3efd8b97c389697e1851b7c4351b28725dca02d2550b2c4e3770d747bc97 | Triage

Analysis

max time kernel
114s
max time network
121s
platform
windows7_x64
resource
win7
submitted
30-06-2020 12:45

Sharing

Report Analysis Logs

General

Target

7da6ce5c60e94d120a8f7f3d66f63451.exe
Size

303KB
MD5

7da6ce5c60e94d120a8f7f3d66f63451
SHA1

9d011ad4f2de2b39a026ce94e1c5fe7a813b32f5
SHA256

489d3efd8b97c389697e1851b7c4351b28725dca02d2550b2c4e3770d747bc97
SHA512

ac2593481fa74f44a8957060a5264d21194b9deb513344bc2fcf927e095a1ad71db2265b16fc33be512369abad6c727d8ae9ad349005d93a376e4c1dce6871c6

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

7da6ce5c60e94d120a8f7f3d66f63451.exe

description pid process target process

PID 1124 set thread context of 1420 1124 7da6ce5c60e94d120a8f7f3d66f63451.exe 7da6ce5c60e94d120a8f7f3d66f63451.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

7da6ce5c60e94d120a8f7f3d66f63451.exe

description	pid	process	target process
PID 1124 wrote to memory of 1076	1124	7da6ce5c60e94d120a8f7f3d66f63451.exe	7da6ce5c60e94d120a8f7f3d66f63451.exe
PID 1124 wrote to memory of 1076	1124	7da6ce5c60e94d120a8f7f3d66f63451.exe	7da6ce5c60e94d120a8f7f3d66f63451.exe
PID 1124 wrote to memory of 1076	1124	7da6ce5c60e94d120a8f7f3d66f63451.exe	7da6ce5c60e94d120a8f7f3d66f63451.exe
PID 1124 wrote to memory of 1076	1124	7da6ce5c60e94d120a8f7f3d66f63451.exe	7da6ce5c60e94d120a8f7f3d66f63451.exe
PID 1124 wrote to memory of 1420	1124	7da6ce5c60e94d120a8f7f3d66f63451.exe	7da6ce5c60e94d120a8f7f3d66f63451.exe
PID 1124 wrote to memory of 1420	1124	7da6ce5c60e94d120a8f7f3d66f63451.exe	7da6ce5c60e94d120a8f7f3d66f63451.exe
PID 1124 wrote to memory of 1420	1124	7da6ce5c60e94d120a8f7f3d66f63451.exe	7da6ce5c60e94d120a8f7f3d66f63451.exe
PID 1124 wrote to memory of 1420	1124	7da6ce5c60e94d120a8f7f3d66f63451.exe	7da6ce5c60e94d120a8f7f3d66f63451.exe
PID 1124 wrote to memory of 1420	1124	7da6ce5c60e94d120a8f7f3d66f63451.exe	7da6ce5c60e94d120a8f7f3d66f63451.exe
PID 1124 wrote to memory of 1420	1124	7da6ce5c60e94d120a8f7f3d66f63451.exe	7da6ce5c60e94d120a8f7f3d66f63451.exe
PID 1124 wrote to memory of 1420	1124	7da6ce5c60e94d120a8f7f3d66f63451.exe	7da6ce5c60e94d120a8f7f3d66f63451.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7da6ce5c60e94d120a8f7f3d66f63451.exe

description pid process

Token: SeDebugPrivilege 1124 7da6ce5c60e94d120a8f7f3d66f63451.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7da6ce5c60e94d120a8f7f3d66f63451.exe7da6ce5c60e94d120a8f7f3d66f63451.exe

pid process

1124 7da6ce5c60e94d120a8f7f3d66f63451.exe
1420 7da6ce5c60e94d120a8f7f3d66f63451.exe

C:\Users\Admin\AppData\Local\Temp\7da6ce5c60e94d120a8f7f3d66f63451.exe
"C:\Users\Admin\AppData\Local\Temp\7da6ce5c60e94d120a8f7f3d66f63451.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Users\Admin\AppData\Local\Temp\7da6ce5c60e94d120a8f7f3d66f63451.exe
"{path}"
2⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\7da6ce5c60e94d120a8f7f3d66f63451.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1420-1-0x000000000041E320-mapping.dmp

Download