Analysis
-
max time kernel
147s -
max time network
37s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 06:56
Static task
static1
Behavioral task
behavioral1
Sample
PO_013-0034299 & PO_013-0034335.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PO_013-0034299 & PO_013-0034335.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
PO_013-0034299 & PO_013-0034335.exe
-
Size
302KB
-
MD5
fb080213d4cdb082ce078ae5773bf0e7
-
SHA1
b0ded72625ef8685f9e53e46592e8f3ea18e3ff8
-
SHA256
fcd82ee31a25536c2d5dcb275e09bba22ba661b24225dbc5e2f0b7ae41af65e0
-
SHA512
f22cc880ea95570b290d1cf5b2409c51c11f0fcc8b2773bbb4f7a20d7dcf5ce5012b7043101cb5c7347f465a35a7cf05433e8615ad057ffc9b8b96532e13abca
Malware Config
Signatures
-
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PO_013-0034299 & PO_013-0034335.exePO_013-0034299 & PO_013-0034335.execmd.exedescription pid process target process PID 240 set thread context of 1060 240 PO_013-0034299 & PO_013-0034335.exe PO_013-0034299 & PO_013-0034335.exe PID 1060 set thread context of 1208 1060 PO_013-0034299 & PO_013-0034335.exe Explorer.EXE PID 1060 set thread context of 1208 1060 PO_013-0034299 & PO_013-0034335.exe Explorer.EXE PID 1532 set thread context of 1208 1532 cmd.exe Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PO_013-0034299 & PO_013-0034335.execmd.exepid process 1060 PO_013-0034299 & PO_013-0034335.exe 1060 PO_013-0034299 & PO_013-0034335.exe 1060 PO_013-0034299 & PO_013-0034335.exe 1060 PO_013-0034299 & PO_013-0034335.exe 1532 cmd.exe 1532 cmd.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1500 cmd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
PO_013-0034299 & PO_013-0034335.exeExplorer.EXEcmd.exedescription pid process target process PID 240 wrote to memory of 1060 240 PO_013-0034299 & PO_013-0034335.exe PO_013-0034299 & PO_013-0034335.exe PID 240 wrote to memory of 1060 240 PO_013-0034299 & PO_013-0034335.exe PO_013-0034299 & PO_013-0034335.exe PID 240 wrote to memory of 1060 240 PO_013-0034299 & PO_013-0034335.exe PO_013-0034299 & PO_013-0034335.exe PID 240 wrote to memory of 1060 240 PO_013-0034299 & PO_013-0034335.exe PO_013-0034299 & PO_013-0034335.exe PID 240 wrote to memory of 1060 240 PO_013-0034299 & PO_013-0034335.exe PO_013-0034299 & PO_013-0034335.exe PID 240 wrote to memory of 1060 240 PO_013-0034299 & PO_013-0034335.exe PO_013-0034299 & PO_013-0034335.exe PID 240 wrote to memory of 1060 240 PO_013-0034299 & PO_013-0034335.exe PO_013-0034299 & PO_013-0034335.exe PID 1208 wrote to memory of 1532 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1532 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1532 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1532 1208 Explorer.EXE cmd.exe PID 1532 wrote to memory of 1500 1532 cmd.exe cmd.exe PID 1532 wrote to memory of 1500 1532 cmd.exe cmd.exe PID 1532 wrote to memory of 1500 1532 cmd.exe cmd.exe PID 1532 wrote to memory of 1500 1532 cmd.exe cmd.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
PO_013-0034299 & PO_013-0034335.execmd.exepid process 1060 PO_013-0034299 & PO_013-0034335.exe 1060 PO_013-0034299 & PO_013-0034335.exe 1060 PO_013-0034299 & PO_013-0034335.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe 1532 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO_013-0034299 & PO_013-0034335.execmd.exedescription pid process Token: SeDebugPrivilege 1060 PO_013-0034299 & PO_013-0034335.exe Token: SeDebugPrivilege 1532 cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\PO_013-0034299 & PO_013-0034335.exe"C:\Users\Admin\AppData\Local\Temp\PO_013-0034299 & PO_013-0034335.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Users\Admin\AppData\Local\Temp\PO_013-0034299 & PO_013-0034335.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO_013-0034299 & PO_013-0034335.exe"3⤵
- Deletes itself
PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/240-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1060-2-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1060-3-0x000000000041E360-mapping.dmp
-
memory/1208-4-0x0000000006AB0000-0x0000000006C0E000-memory.dmpFilesize
1.4MB
-
memory/1500-7-0x0000000000000000-mapping.dmp
-
memory/1532-5-0x0000000000000000-mapping.dmp
-
memory/1532-6-0x000000004A620000-0x000000004A66C000-memory.dmpFilesize
304KB
-
memory/1532-8-0x0000000003010000-0x00000000030F2000-memory.dmpFilesize
904KB