Overview

overview

8

Static

static

OFFICIAL P...om.exe

windows7_x64

7

OFFICIAL P...om.exe

windows10_x64

8

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    07/07/2020, 09:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OFFICIAL PAYMENT MODE DURING COVID-19 PANDEMIC-2020.com.exe

  • Size

    480KB

  • MD5

    5ac4e04aca5a3bfaf13c7c5d429cc017

  • SHA1

    3648fdde6cb192dcabde3cb7f17f58bf454ec0e1

  • SHA256

    516af190e411859eafe3334997490013f00b0a6199ef034a584df640a3993440

  • SHA512

    961dd27cc6e665c67be0fc0efddb1b0912890a6b13b22d342a8cad5332923013c889cf056a4faaef50a0c77ef7770393907c3493aa145e9ab0aeb2323bfdc38f

Score
7/10
evasiontrojan

Malware Config

Signatures

  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SendNotifyMessage
    • Checks whether UAC is enabled
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\OFFICIAL PAYMENT MODE DURING COVID-19 PANDEMIC-2020.com.exe
      "C:\Users\Admin\AppData\Local\Temp\OFFICIAL PAYMENT MODE DURING COVID-19 PANDEMIC-2020.com.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      PID:1496
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cwylpghoIDGGCx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8822.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:112
      • C:\Users\Admin\AppData\Local\Temp\OFFICIAL PAYMENT MODE DURING COVID-19 PANDEMIC-2020.com.exe
        "{path}"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        PID:1032
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      PID:1500
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\OFFICIAL PAYMENT MODE DURING COVID-19 PANDEMIC-2020.com.exe"
        3⤵
        • Deletes itself
        PID:1296

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1032-2-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1228-8-0x0000000006A80000-0x0000000006B64000-memory.dmp

    Filesize

    912KB

    Download

  • memory/1500-5-0x0000000000AA0000-0x0000000000AB4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1500-7-0x0000000002060000-0x00000000021BB000-memory.dmp

    Filesize

    1.4MB

    Download