Overview

overview

7

Static

static

CV.exe

windows7_x64

7

CV.exe

windows10_x64

3

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    09/07/2020, 08:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    CV.exe

  • Size

    452KB

  • MD5

    da433bf4f7ae613fa6a3e3b52f006a6b

  • SHA1

    2d0273829977db284382be3e6735ac9993ea91a1

  • SHA256

    922d69b91fbe84aaf3f6fae8eb416ce48f8106e6cb5ec60846409beb029b235b

  • SHA512

    2d64e923cb6809c70873c8d8801148fcab302876eb81978746a1311028e75197701c766ef0ea76334145a58a2b4c79e1f9388a4c35cc9b8fa82df53396f38e51

Score
7/10
evasiontrojan

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SendNotifyMessage
    • Suspicious use of FindShellTrayWindow
    • Checks whether UAC is enabled
    PID:1336
    • C:\Users\Admin\AppData\Local\Temp\CV.exe
      "C:\Users\Admin\AppData\Local\Temp\CV.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      PID:1164
      • C:\Users\Admin\AppData\Local\Temp\CV.exe
        "{path}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        PID:1508
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:1632
      • C:\Windows\SysWOW64\cmmon32.exe
        "C:\Windows\SysWOW64\cmmon32.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        PID:660
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\CV.exe"
          3⤵
          • Deletes itself
          PID:764

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/660-5-0x0000000000630000-0x000000000063D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/660-7-0x0000000002F80000-0x00000000030E1000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1508-2-0x0000000000400000-0x000000000042A000-memory.dmp

            Filesize

            168KB

            Download