Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 12:33
Static task
static1
Behavioral task
behavioral1
Sample
App.bin.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
App.bin.exe
-
Size
560KB
-
MD5
5518020384ceb599dd993c388c21acf3
-
SHA1
11c3c0a314b76eb980f69c5db4807cc147e3a1d6
-
SHA256
91b9e5401ca19ff3f45d8c3acce6a793f7cb713bc6920d9c5371197ad6a3b582
-
SHA512
7767e0edc52c158a1c3aca4c6dfba33bdade555238b238f82c25aa98e21db1cff479aaced3e570419e9767aabdbb10e03eb51debd016b93ba4c681b5432ce001
Malware Config
Signatures
-
Processes:
App.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA App.bin.exe -
Drops file in Program Files directory 2 IoCs
Processes:
App.bin.exedescription ioc process File created C:\Program Files (x86)\WAN Subsystem\wanss.exe App.bin.exe File opened for modification C:\Program Files (x86)\WAN Subsystem\wanss.exe App.bin.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
App.bin.exedescription pid process Token: SeDebugPrivilege 1496 App.bin.exe Token: SeDebugPrivilege 1496 App.bin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
App.bin.exepid process 1496 App.bin.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
App.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Subsystem = "C:\\Program Files (x86)\\WAN Subsystem\\wanss.exe" App.bin.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
App.bin.exedescription pid process target process PID 1496 wrote to memory of 388 1496 App.bin.exe schtasks.exe PID 1496 wrote to memory of 388 1496 App.bin.exe schtasks.exe PID 1496 wrote to memory of 388 1496 App.bin.exe schtasks.exe PID 1496 wrote to memory of 388 1496 App.bin.exe schtasks.exe PID 1496 wrote to memory of 1636 1496 App.bin.exe schtasks.exe PID 1496 wrote to memory of 1636 1496 App.bin.exe schtasks.exe PID 1496 wrote to memory of 1636 1496 App.bin.exe schtasks.exe PID 1496 wrote to memory of 1636 1496 App.bin.exe schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
App.bin.exepid process 1496 App.bin.exe 1496 App.bin.exe 1496 App.bin.exe 1496 App.bin.exe 1496 App.bin.exe 1496 App.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\App.bin.exe"C:\Users\Admin\AppData\Local\Temp\App.bin.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: GetForegroundWindowSpam
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1496 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6B4.tmp"2⤵
- Creates scheduled task(s)
PID:388 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp85A.tmp"2⤵
- Creates scheduled task(s)
PID:1636