Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
12-07-2020 11:25
Static task
static1
Behavioral task
behavioral1
Sample
cS7il0zOGtdU05K.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
cS7il0zOGtdU05K.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
cS7il0zOGtdU05K.exe
-
Size
364KB
-
MD5
b0cac1cdd3c9ab7d332811850ddd8ab9
-
SHA1
750deac873706d16c1180ac9c3eda6f435828c3e
-
SHA256
5300a0a0ca9bc1ac90ad1543fe3a1687db23b8f05194f86263938c57e0503b84
-
SHA512
ebf73440a56091edacee8f04eb61f7aba66f5ca024bb3a10937eb41462146ab48295a9419e0e44fc5c5ec47affa0baf212555411a5f3f09ca9a946e20c3372fc
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
cS7il0zOGtdU05K.execmstp.exepid process 1028 cS7il0zOGtdU05K.exe 1028 cS7il0zOGtdU05K.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe 1876 cmstp.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
cS7il0zOGtdU05K.exeExplorer.EXEcmstp.exedescription pid process target process PID 1492 wrote to memory of 788 1492 cS7il0zOGtdU05K.exe schtasks.exe PID 1492 wrote to memory of 788 1492 cS7il0zOGtdU05K.exe schtasks.exe PID 1492 wrote to memory of 788 1492 cS7il0zOGtdU05K.exe schtasks.exe PID 1492 wrote to memory of 788 1492 cS7il0zOGtdU05K.exe schtasks.exe PID 1492 wrote to memory of 1028 1492 cS7il0zOGtdU05K.exe cS7il0zOGtdU05K.exe PID 1492 wrote to memory of 1028 1492 cS7il0zOGtdU05K.exe cS7il0zOGtdU05K.exe PID 1492 wrote to memory of 1028 1492 cS7il0zOGtdU05K.exe cS7il0zOGtdU05K.exe PID 1492 wrote to memory of 1028 1492 cS7il0zOGtdU05K.exe cS7il0zOGtdU05K.exe PID 1492 wrote to memory of 1028 1492 cS7il0zOGtdU05K.exe cS7il0zOGtdU05K.exe PID 1492 wrote to memory of 1028 1492 cS7il0zOGtdU05K.exe cS7il0zOGtdU05K.exe PID 1492 wrote to memory of 1028 1492 cS7il0zOGtdU05K.exe cS7il0zOGtdU05K.exe PID 1228 wrote to memory of 1876 1228 Explorer.EXE cmstp.exe PID 1228 wrote to memory of 1876 1228 Explorer.EXE cmstp.exe PID 1228 wrote to memory of 1876 1228 Explorer.EXE cmstp.exe PID 1228 wrote to memory of 1876 1228 Explorer.EXE cmstp.exe PID 1228 wrote to memory of 1876 1228 Explorer.EXE cmstp.exe PID 1228 wrote to memory of 1876 1228 Explorer.EXE cmstp.exe PID 1228 wrote to memory of 1876 1228 Explorer.EXE cmstp.exe PID 1876 wrote to memory of 1892 1876 cmstp.exe cmd.exe PID 1876 wrote to memory of 1892 1876 cmstp.exe cmd.exe PID 1876 wrote to memory of 1892 1876 cmstp.exe cmd.exe PID 1876 wrote to memory of 1892 1876 cmstp.exe cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
cS7il0zOGtdU05K.execS7il0zOGtdU05K.execmstp.exedescription pid process target process PID 1492 set thread context of 1028 1492 cS7il0zOGtdU05K.exe cS7il0zOGtdU05K.exe PID 1028 set thread context of 1228 1028 cS7il0zOGtdU05K.exe Explorer.EXE PID 1876 set thread context of 1228 1876 cmstp.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cS7il0zOGtdU05K.execmstp.exedescription pid process Token: SeDebugPrivilege 1028 cS7il0zOGtdU05K.exe Token: SeDebugPrivilege 1876 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
cS7il0zOGtdU05K.execmstp.exepid process 1028 cS7il0zOGtdU05K.exe 1028 cS7il0zOGtdU05K.exe 1028 cS7il0zOGtdU05K.exe 1876 cmstp.exe 1876 cmstp.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1892 cmd.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\cS7il0zOGtdU05K.exe"C:\Users\Admin\AppData\Local\Temp\cS7il0zOGtdU05K.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SfeAvvANvSVV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB579.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\cS7il0zOGtdU05K.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\cS7il0zOGtdU05K.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB579.tmp
-
memory/788-0-0x0000000000000000-mapping.dmp
-
memory/1028-2-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1028-3-0x000000000041B6E0-mapping.dmp
-
memory/1876-4-0x0000000000000000-mapping.dmp
-
memory/1876-5-0x0000000000D10000-0x0000000000D28000-memory.dmpFilesize
96KB
-
memory/1876-7-0x0000000000BB0000-0x0000000000CCC000-memory.dmpFilesize
1.1MB
-
memory/1892-6-0x0000000000000000-mapping.dmp