63c1ce2aef3529012b5e2d4453754583f41b5aa0f1f8e12e8e08a8a8abc9470e

General

Target

products inquiry.exe
Size

229KB
MD5

a53604e429dd528d745800b1b533a85e
SHA1

778ef3670b3a55dbdefaf4f5f756aa1964feb330
SHA256

63c1ce2aef3529012b5e2d4453754583f41b5aa0f1f8e12e8e08a8a8abc9470e
SHA512

5f56e7aaf702ed1db467cbb8fa0ec72af89cc4cb8cbff5bb96dbd41b71004d463685efb123093c95b03a00a2f7c12ff2657a3e1e87cec2ec6520856b0efc283a

Score

7^/10

evasion trojan

Malware Config

Signatures

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

products inquiry.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 1768 wrote to memory of 1880	1768	products inquiry.exe	schtasks.exe
PID 1768 wrote to memory of 1880	1768	products inquiry.exe	schtasks.exe
PID 1768 wrote to memory of 1880	1768	products inquiry.exe	schtasks.exe
PID 1768 wrote to memory of 1880	1768	products inquiry.exe	schtasks.exe
PID 1768 wrote to memory of 1940	1768	products inquiry.exe	products inquiry.exe
PID 1768 wrote to memory of 1940	1768	products inquiry.exe	products inquiry.exe
PID 1768 wrote to memory of 1940	1768	products inquiry.exe	products inquiry.exe
PID 1768 wrote to memory of 1940	1768	products inquiry.exe	products inquiry.exe
PID 1768 wrote to memory of 1940	1768	products inquiry.exe	products inquiry.exe
PID 1768 wrote to memory of 1940	1768	products inquiry.exe	products inquiry.exe
PID 1768 wrote to memory of 1940	1768	products inquiry.exe	products inquiry.exe
PID 1216 wrote to memory of 1968	1216	Explorer.EXE	ipconfig.exe
PID 1216 wrote to memory of 1968	1216	Explorer.EXE	ipconfig.exe
PID 1216 wrote to memory of 1968	1216	Explorer.EXE	ipconfig.exe
PID 1216 wrote to memory of 1968	1216	Explorer.EXE	ipconfig.exe
PID 1968 wrote to memory of 1140	1968	ipconfig.exe	cmd.exe
PID 1968 wrote to memory of 1140	1968	ipconfig.exe	cmd.exe
PID 1968 wrote to memory of 1140	1968	ipconfig.exe	cmd.exe
PID 1968 wrote to memory of 1140	1968	ipconfig.exe	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

products inquiry.exeproducts inquiry.exeipconfig.exe

description	pid	process	target process
PID 1768 set thread context of 1940	1768	products inquiry.exe	products inquiry.exe
PID 1940 set thread context of 1216	1940	products inquiry.exe	Explorer.EXE
PID 1968 set thread context of 1216	1968	ipconfig.exe	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

products inquiry.exeproducts inquiry.exeipconfig.exe

description	pid	process
Token: SeDebugPrivilege	1768	products inquiry.exe
Token: SeDebugPrivilege	1940	products inquiry.exe
Token: SeDebugPrivilege	1968	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

products inquiry.exeproducts inquiry.exeipconfig.exe

pid	process
1768	products inquiry.exe
1940	products inquiry.exe
1940	products inquiry.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
1216 Explorer.EXE
1216 Explorer.EXE
1216 Explorer.EXE
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1880 schtasks.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

products inquiry.exeipconfig.exe

pid process

1940 products inquiry.exe
1940 products inquiry.exe
1940 products inquiry.exe
1968 ipconfig.exe
1968 ipconfig.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1140 cmd.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
1216 Explorer.EXE
1216 Explorer.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1880	schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

pid	process
1940	products inquiry.exe
1940	products inquiry.exe
1940	products inquiry.exe
1968	ipconfig.exe
1968	ipconfig.exe

pid	process
1140	cmd.exe

pid	process
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
PID:1216

C:\Users\Admin\AppData\Local\Temp\products inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\products inquiry.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFExzXR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96A3.tmp"
3⤵
- Creates scheduled task(s)
PID:1880

C:\Users\Admin\AppData\Local\Temp\products inquiry.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1940

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1968

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\products inquiry.exe"
3⤵
- Deletes itself
PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp96A3.tmp

Download Submit
memory/1140-8-0x0000000000000000-mapping.dmp

Download
memory/1768-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1880-2-0x0000000000000000-mapping.dmp

Download
memory/1940-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1940-5-0x000000000041E350-mapping.dmp

Download
memory/1968-6-0x0000000000000000-mapping.dmp

Download
memory/1968-7-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/1968-9-0x0000000001F20000-0x0000000002053000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads