Overview

overview

10

Static

static

2050.exe

windows7_x64

8

2050.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    08/07/2020, 09:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2050.exe

  • Size

    3.7MB

  • MD5

    67a58e0cd56c1347fdb8dfd6daa163c9

  • SHA1

    e57cddf1375f1124aab526bb37a7ba74876353aa

  • SHA256

    1eb6e921f6045c1ea7cb304d9b7108c653424f7b3cbb9ec63bcec4d8998bd98c

  • SHA512

    666d61b53424e4ed7cc0503b83f85b979fe7a9d66ad3be25b7218f8c1ece98f21d459025224a42015ef1ffce1468fda4272c16e575b80f4f8d6d55c1f2e73519

Score
10/10
evasionspywaretrojan

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Drops startup file 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Checks whether UAC is enabled 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies registry class 113 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies control panel 1 IoCs
    evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2050.exe
    "C:\Users\Admin\AppData\Local\Temp\2050.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\ProgramData\tEyxTHPso1\Atikus9Bumpers.exe
      "C:\ProgramData\tEyxTHPso1\Atikus9Bumpers.exe"
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Executes dropped EXE
      PID:2536
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Modifies Internet Explorer settings
    • Checks whether UAC is enabled
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of AdjustPrivilegeToken
    • Modifies registry class
    • Drops file in Windows directory
    • Modifies control panel
    PID:1356
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1356 -s 3428
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Program crash
      PID:3944
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:2144

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3944-0-0x000001F205C90000-0x000001F205C91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3944-1-0x000001F205C90000-0x000001F205C91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3944-3-0x000001F206B30000-0x000001F206B31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3944-6-0x000001F206CF0000-0x000001F206CF1000-memory.dmp

          Filesize

          4KB

          Download