Overview

overview

7

Static

static

cS7il0zOGtdU05K.exe

windows7_x64

7

cS7il0zOGtdU05K.exe

windows10_x64

7

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    12-07-2020 11:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cS7il0zOGtdU05K.exe

  • Size

    364KB

  • MD5

    b0cac1cdd3c9ab7d332811850ddd8ab9

  • SHA1

    750deac873706d16c1180ac9c3eda6f435828c3e

  • SHA256

    5300a0a0ca9bc1ac90ad1543fe3a1687db23b8f05194f86263938c57e0503b84

  • SHA512

    ebf73440a56091edacee8f04eb61f7aba66f5ca024bb3a10937eb41462146ab48295a9419e0e44fc5c5ec47affa0baf212555411a5f3f09ca9a946e20c3372fc

Score
7/10
evasiontrojan

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SendNotifyMessage
    • Checks whether UAC is enabled
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\cS7il0zOGtdU05K.exe
      "C:\Users\Admin\AppData\Local\Temp\cS7il0zOGtdU05K.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      PID:1492
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SfeAvvANvSVV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB579.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:788
      • C:\Users\Admin\AppData\Local\Temp\cS7il0zOGtdU05K.exe
        "{path}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        PID:1028
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:1508
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:1484
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:1692
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:1296
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:1788
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:1812
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:1768
                  • C:\Windows\SysWOW64\autofmt.exe
                    "C:\Windows\SysWOW64\autofmt.exe"
                    2⤵
                      PID:1776
                    • C:\Windows\SysWOW64\autofmt.exe
                      "C:\Windows\SysWOW64\autofmt.exe"
                      2⤵
                        PID:1760
                      • C:\Windows\SysWOW64\autofmt.exe
                        "C:\Windows\SysWOW64\autofmt.exe"
                        2⤵
                          PID:1844
                        • C:\Windows\SysWOW64\autofmt.exe
                          "C:\Windows\SysWOW64\autofmt.exe"
                          2⤵
                            PID:1868
                          • C:\Windows\SysWOW64\autofmt.exe
                            "C:\Windows\SysWOW64\autofmt.exe"
                            2⤵
                              PID:1852
                            • C:\Windows\SysWOW64\autofmt.exe
                              "C:\Windows\SysWOW64\autofmt.exe"
                              2⤵
                                PID:1884
                              • C:\Windows\SysWOW64\cmstp.exe
                                "C:\Windows\SysWOW64\cmstp.exe"
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of WriteProcessMemory
                                • Suspicious use of SetThreadContext
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious behavior: MapViewOfSection
                                PID:1876
                                • C:\Windows\SysWOW64\cmd.exe
                                  /c del "C:\Users\Admin\AppData\Local\Temp\cS7il0zOGtdU05K.exe"
                                  3⤵
                                  • Deletes itself
                                  PID:1892

                            Network

                            MITRE ATT&CK Matrix ATT&CK v6

                            Initial Access

                            Execution

                            Scheduled Task

                            1
                            T1053

                            Persistence

                            Scheduled Task

                            1
                            T1053

                            Privilege Escalation

                            Scheduled Task

                            1
                            T1053

                            Defense Evasion

                            Credential Access

                            Discovery

                            System Information Discovery

                            1
                            T1082

                            Lateral Movement

                            Collection

                            Exfiltration

                            Command and Control

                            Impact

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\tmpB579.tmp
                              Download Submit
                            • memory/788-0-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1028-2-0x0000000000400000-0x000000000042A000-memory.dmp
                              Filesize

                              168KB

                              Download
                            • memory/1028-3-0x000000000041B6E0-mapping.dmp
                              Download
                            • memory/1876-4-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1876-5-0x0000000000D10000-0x0000000000D28000-memory.dmp
                              Filesize

                              96KB

                              Download
                            • memory/1876-7-0x0000000000BB0000-0x0000000000CCC000-memory.dmp
                              Filesize

                              1.1MB

                              Download
                            • memory/1892-6-0x0000000000000000-mapping.dmp
                              Download