Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
12-07-2020 08:16
General
-
Target
contract supply list.exe
-
Size
311KB
-
MD5
1c8f2480d5bfe4d9bbe8bc432ccc5c97
-
SHA1
5ff74ec7bd4d10582ce2c949ade827b1ccb23d21
-
SHA256
24f64f0f4a0f7b860db4e664e4f4c76a08f20d3490966de4637958bbecc618ac
-
SHA512
158ec88cc3d9ee15c2a96402e58547bd58896be18cc9502c8e204a21e85e3657cd4d07be03fba888911ff4d26e40b882afbc97ab6d04f8f1a67260205126acfe
Score
9/10
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\contract supply list.exe"C:\Users\Admin\AppData\Local\Temp\contract supply list.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RvBHdj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAAAF.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\contract supply list.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\contract supply list.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\contract supply list.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAAAF.tmp
-
memory/240-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/508-2-0x0000000000000000-mapping.dmp
-
memory/1052-4-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1052-5-0x000000000041E2E0-mapping.dmp
-
memory/1580-8-0x0000000000000000-mapping.dmp
-
memory/1612-6-0x0000000000000000-mapping.dmp
-
memory/1612-7-0x00000000000C0000-0x00000000000C6000-memory.dmpFilesize
24KB
-
memory/1612-9-0x00000000006E0000-0x0000000000836000-memory.dmpFilesize
1.3MB