Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 05:10
Static task
static1
Behavioral task
behavioral1
Sample
PO894749745.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PO894749745.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
PO894749745.exe
-
Size
441KB
-
MD5
65fe80a7288aebb3e14c7db814feb974
-
SHA1
38df46f7e47abefe45503b57474673e8f5e15c24
-
SHA256
4052cabc6efdd8910b0c92b973d1a37172a92ee408fc53209d746cfb65e08dcc
-
SHA512
7415b082c8644f3406c743ab65db55e4e34817d380a6638065ac12547451382a0c51f1c921fa3b07df3eb5aaf75a2eb3cc4cddf2407e044023424c1cb5d64122
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
PO894749745.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1440 wrote to memory of 1012 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 1012 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 1012 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 1012 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 748 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 748 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 748 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 748 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 308 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 308 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 308 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 308 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 1064 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 1064 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 1064 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 1064 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 1064 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 1064 1440 PO894749745.exe vbc.exe PID 1440 wrote to memory of 1064 1440 PO894749745.exe vbc.exe PID 1244 wrote to memory of 1528 1244 Explorer.EXE NETSTAT.EXE PID 1244 wrote to memory of 1528 1244 Explorer.EXE NETSTAT.EXE PID 1244 wrote to memory of 1528 1244 Explorer.EXE NETSTAT.EXE PID 1244 wrote to memory of 1528 1244 Explorer.EXE NETSTAT.EXE PID 1528 wrote to memory of 1700 1528 NETSTAT.EXE cmd.exe PID 1528 wrote to memory of 1700 1528 NETSTAT.EXE cmd.exe PID 1528 wrote to memory of 1700 1528 NETSTAT.EXE cmd.exe PID 1528 wrote to memory of 1700 1528 NETSTAT.EXE cmd.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exeNETSTAT.EXEpid process 1064 vbc.exe 1064 vbc.exe 1064 vbc.exe 1064 vbc.exe 1528 NETSTAT.EXE 1528 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO894749745.exevbc.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1440 PO894749745.exe Token: SeDebugPrivilege 1064 vbc.exe Token: SeDebugPrivilege 1528 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
PO894749745.exevbc.exeNETSTAT.EXEpid process 1440 PO894749745.exe 1440 PO894749745.exe 1440 PO894749745.exe 1064 vbc.exe 1064 vbc.exe 1064 vbc.exe 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE 1528 NETSTAT.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PO894749745.exevbc.exeNETSTAT.EXEdescription pid process target process PID 1440 set thread context of 1064 1440 PO894749745.exe vbc.exe PID 1064 set thread context of 1244 1064 vbc.exe Explorer.EXE PID 1064 set thread context of 1244 1064 vbc.exe Explorer.EXE PID 1528 set thread context of 1244 1528 NETSTAT.EXE Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\PO894749745.exe"C:\Users\Admin\AppData\Local\Temp\PO894749745.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1440 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵PID:1012
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵PID:748
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵PID:308
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1064 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1528 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:1700