37299afa1d46a1aa02b7b06a39d41d876f454047527e406e7cbcb659833de728

Analysis

max time kernel
150s
max time network
54s
platform
windows7_x64
resource
win7
submitted
08-07-2020 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UPDATED S.O.A..exe
Size

796KB
MD5

37abe07d477f8fd134cd1c4f7bde592d
SHA1

12f091feb8be7dc754ee73090c8bbcce5d82c4d3
SHA256

37299afa1d46a1aa02b7b06a39d41d876f454047527e406e7cbcb659833de728
SHA512

34ba619d7ebd7ffd77cad9445c05f5447a69e3984d2111f88829db3413427b41d68bb7464440ef2cf750830763a2cd088ef22e04bb68b1d2cf1a3782eaaacf03

Score

6^/10

evasion trojan

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1860	RegSvcs.exe
1860	RegSvcs.exe
1860	RegSvcs.exe
1908	rundll32.exe
1908	rundll32.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1868	1684	UPDATED S.O.A..exe	24
PID 1684 wrote to memory of 1868	1684	UPDATED S.O.A..exe	24
PID 1684 wrote to memory of 1868	1684	UPDATED S.O.A..exe	24
PID 1684 wrote to memory of 1868	1684	UPDATED S.O.A..exe	24
PID 1684 wrote to memory of 1868	1684	UPDATED S.O.A..exe	24
PID 1684 wrote to memory of 1868	1684	UPDATED S.O.A..exe	24
PID 1684 wrote to memory of 1868	1684	UPDATED S.O.A..exe	24
PID 1684 wrote to memory of 1860	1684	UPDATED S.O.A..exe	25
PID 1684 wrote to memory of 1860	1684	UPDATED S.O.A..exe	25
PID 1684 wrote to memory of 1860	1684	UPDATED S.O.A..exe	25
PID 1684 wrote to memory of 1860	1684	UPDATED S.O.A..exe	25
PID 1684 wrote to memory of 1860	1684	UPDATED S.O.A..exe	25
PID 1684 wrote to memory of 1860	1684	UPDATED S.O.A..exe	25
PID 1684 wrote to memory of 1860	1684	UPDATED S.O.A..exe	25
PID 1684 wrote to memory of 1860	1684	UPDATED S.O.A..exe	25
PID 1684 wrote to memory of 1860	1684	UPDATED S.O.A..exe	25
PID 1684 wrote to memory of 1860	1684	UPDATED S.O.A..exe	25
PID 1268 wrote to memory of 1908	1268	Explorer.EXE	26
PID 1268 wrote to memory of 1908	1268	Explorer.EXE	26
PID 1268 wrote to memory of 1908	1268	Explorer.EXE	26
PID 1268 wrote to memory of 1908	1268	Explorer.EXE	26
PID 1268 wrote to memory of 1908	1268	Explorer.EXE	26
PID 1268 wrote to memory of 1908	1268	Explorer.EXE	26
PID 1268 wrote to memory of 1908	1268	Explorer.EXE	26
PID 1908 wrote to memory of 1916	1908	rundll32.exe	27
PID 1908 wrote to memory of 1916	1908	rundll32.exe	27
PID 1908 wrote to memory of 1916	1908	rundll32.exe	27
PID 1908 wrote to memory of 1916	1908	rundll32.exe	27

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	UPDATED S.O.A..exe
Token: SeDebugPrivilege	1860	RegSvcs.exe
Token: SeDebugPrivilege	1908	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1684	UPDATED S.O.A..exe
1684	UPDATED S.O.A..exe
1860	RegSvcs.exe
1860	RegSvcs.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 1860	1684	UPDATED S.O.A..exe	25
PID 1860 set thread context of 1268	1860	RegSvcs.exe	20
PID 1908 set thread context of 1268	1908	rundll32.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\UPDATED S.O.A..exe
  "C:\Users\Admin\AppData\Local\Temp\UPDATED S.O.A..exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetThreadContext
  PID:1684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    PID:1868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetThreadContext
    PID:1860
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetThreadContext
  PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1860-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1908-5-0x0000000000B10000-0x0000000000B1E000-memory.dmp

Filesize
56KB

Download
memory/1908-7-0x0000000001F20000-0x0000000002029000-memory.dmp

Filesize
1.0MB

Download