Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 08:51
Static task
static1
Behavioral task
behavioral1
Sample
b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe
-
Size
483KB
-
MD5
b0ee0f69d0044d4d4e1ba6fbe7a556ee
-
SHA1
562ae410121bf87420074a70023c40bbb9e7bcc3
-
SHA256
6cfae9fac2b59c2520f8911a66bd16899886170ff2a5f17f40161ac47f66b0ff
-
SHA512
6f984f428421adb3e48b18c8a6f1f76f0a11a06ce3c58355820fae85b3c346870f797137494125f121d5f25d8ef91f1182ab42a269ddadedc05255510a054644
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
syscheck.exeNETSTAT.EXEpid process 1620 syscheck.exe 1620 syscheck.exe 1228 NETSTAT.EXE 1228 NETSTAT.EXE 1228 NETSTAT.EXE 1228 NETSTAT.EXE 1228 NETSTAT.EXE 1228 NETSTAT.EXE 1228 NETSTAT.EXE 1228 NETSTAT.EXE 1228 NETSTAT.EXE 1228 NETSTAT.EXE 1228 NETSTAT.EXE 1228 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
syscheck.exeNETSTAT.EXEpid process 1620 syscheck.exe 1620 syscheck.exe 1620 syscheck.exe 1228 NETSTAT.EXE 1228 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
syscheck.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysnet = "C:\\Users\\Admin\\AppData\\Local\\syscheck.exe -boot" syscheck.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
b0ee0f69d0044d4d4e1ba6fbe7a556ee.execmd.exesyscheck.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1508 wrote to memory of 1764 1508 b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe cmd.exe PID 1508 wrote to memory of 1764 1508 b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe cmd.exe PID 1508 wrote to memory of 1764 1508 b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe cmd.exe PID 1508 wrote to memory of 1764 1508 b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe cmd.exe PID 1508 wrote to memory of 1880 1508 b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe cmd.exe PID 1508 wrote to memory of 1880 1508 b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe cmd.exe PID 1508 wrote to memory of 1880 1508 b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe cmd.exe PID 1508 wrote to memory of 1880 1508 b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe cmd.exe PID 1880 wrote to memory of 1916 1880 cmd.exe syscheck.exe PID 1880 wrote to memory of 1916 1880 cmd.exe syscheck.exe PID 1880 wrote to memory of 1916 1880 cmd.exe syscheck.exe PID 1880 wrote to memory of 1916 1880 cmd.exe syscheck.exe PID 1916 wrote to memory of 1620 1916 syscheck.exe syscheck.exe PID 1916 wrote to memory of 1620 1916 syscheck.exe syscheck.exe PID 1916 wrote to memory of 1620 1916 syscheck.exe syscheck.exe PID 1916 wrote to memory of 1620 1916 syscheck.exe syscheck.exe PID 1916 wrote to memory of 1620 1916 syscheck.exe syscheck.exe PID 1916 wrote to memory of 1620 1916 syscheck.exe syscheck.exe PID 1916 wrote to memory of 1620 1916 syscheck.exe syscheck.exe PID 1212 wrote to memory of 1228 1212 Explorer.EXE NETSTAT.EXE PID 1212 wrote to memory of 1228 1212 Explorer.EXE NETSTAT.EXE PID 1212 wrote to memory of 1228 1212 Explorer.EXE NETSTAT.EXE PID 1212 wrote to memory of 1228 1212 Explorer.EXE NETSTAT.EXE PID 1228 wrote to memory of 1140 1228 NETSTAT.EXE cmd.exe PID 1228 wrote to memory of 1140 1228 NETSTAT.EXE cmd.exe PID 1228 wrote to memory of 1140 1228 NETSTAT.EXE cmd.exe PID 1228 wrote to memory of 1140 1228 NETSTAT.EXE cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
syscheck.exesyscheck.exepid process 1916 syscheck.exe 1620 syscheck.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
syscheck.exesyscheck.exeNETSTAT.EXEdescription pid process target process PID 1916 set thread context of 1620 1916 syscheck.exe syscheck.exe PID 1620 set thread context of 1212 1620 syscheck.exe Explorer.EXE PID 1228 set thread context of 1212 1228 NETSTAT.EXE Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
b0ee0f69d0044d4d4e1ba6fbe7a556ee.exesyscheck.exesyscheck.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1508 b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe Token: SeDebugPrivilege 1916 syscheck.exe Token: SeDebugPrivilege 1620 syscheck.exe Token: SeDebugPrivilege 1228 NETSTAT.EXE -
Loads dropped DLL 2 IoCs
Processes:
cmd.exesyscheck.exepid process 1880 cmd.exe 1916 syscheck.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe"C:\Users\Admin\AppData\Local\Temp\b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b0ee0f69d0044d4d4e1ba6fbe7a556ee.exe" "C:\Users\Admin\AppData\Local\syscheck.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\syscheck.exe"3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\syscheck.exe"C:\Users\Admin\AppData\Local\syscheck.exe"4⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\syscheck.exe"C:\Users\Admin\AppData\Local\syscheck.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\syscheck.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\syscheck.exe
-
C:\Users\Admin\AppData\Local\syscheck.exe
-
C:\Users\Admin\AppData\Local\syscheck.exe
-
\Users\Admin\AppData\Local\syscheck.exe
-
\Users\Admin\AppData\Local\syscheck.exe
-
memory/1140-18-0x0000000000000000-mapping.dmp
-
memory/1228-16-0x0000000000000000-mapping.dmp
-
memory/1228-17-0x0000000000170000-0x0000000000179000-memory.dmpFilesize
36KB
-
memory/1228-19-0x0000000003130000-0x000000000326C000-memory.dmpFilesize
1.2MB
-
memory/1508-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1620-13-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1620-14-0x000000000041B680-mapping.dmp
-
memory/1764-3-0x0000000000000000-mapping.dmp
-
memory/1880-4-0x0000000000000000-mapping.dmp
-
memory/1916-7-0x0000000000000000-mapping.dmp