Overview

overview

7

Static

static

PO_013-003...35.exe

windows7_x64

7

PO_013-003...35.exe

windows10_x64

3

Analysis

  • max time kernel
    147s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    13-07-2020 06:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_013-0034299 & PO_013-0034335.exe

  • Size

    302KB

  • MD5

    fb080213d4cdb082ce078ae5773bf0e7

  • SHA1

    b0ded72625ef8685f9e53e46592e8f3ea18e3ff8

  • SHA256

    fcd82ee31a25536c2d5dcb275e09bba22ba661b24225dbc5e2f0b7ae41af65e0

  • SHA512

    f22cc880ea95570b290d1cf5b2409c51c11f0fcc8b2773bbb4f7a20d7dcf5ce5012b7043101cb5c7347f465a35a7cf05433e8615ad057ffc9b8b96532e13abca

Score
7/10
evasiontrojan

Malware Config

Signatures

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Checks whether UAC is enabled
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\PO_013-0034299 & PO_013-0034335.exe
      "C:\Users\Admin\AppData\Local\Temp\PO_013-0034299 & PO_013-0034335.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Users\Admin\AppData\Local\Temp\PO_013-0034299 & PO_013-0034335.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1060
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1532
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PO_013-0034299 & PO_013-0034335.exe"
        3⤵
        • Deletes itself
        PID:1500

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/240-1-0x0000000000000000-0x0000000000000000-disk.dmp
    Download
  • memory/1060-2-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1060-3-0x000000000041E360-mapping.dmp
    Download
  • memory/1208-4-0x0000000006AB0000-0x0000000006C0E000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1500-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1532-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1532-6-0x000000004A620000-0x000000004A66C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1532-8-0x0000000003010000-0x00000000030F2000-memory.dmp
    Filesize

    904KB

    Download