e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38

Analysis

max time kernel
114s
max time network
120s
platform
windows7_x64
resource
win7
submitted
17-07-2020 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38.exe
Size

701KB
MD5

7da72e4e2a596ab29f1c082ef1802564
SHA1

dfcb8c055a895f0e8593b471f57a7fd0e62c5d4f
SHA256

e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38
SHA512

e8f4a8e175be4edab2e58e9adcdbbc37027768f9793f1705559a7f1bdd59b0f8dcf2433b157f28f847f4eb4656739220c910132a628549f9e1a1160568936f7e

Score

6^/10

persistence

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1060	1152	WerFault.exe	23

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1060	1152	e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38.exe	24
PID 1152 wrote to memory of 1060	1152	e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38.exe	24
PID 1152 wrote to memory of 1060	1152	e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38.exe	24
PID 1152 wrote to memory of 1060	1152	e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38.exe	24

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	WerFault.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1060	WerFault.exe
1060	WerFault.exe
1060	WerFault.exe
1060	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\GpYMi = "C:\\AVGLFESB\\GpYMim\\GpYMimsml.vbs"	e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38.exe

C:\Users\Admin\AppData\Local\Temp\e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38.exe
"C:\Users\Admin\AppData\Local\Temp\e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
PID:1152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 7360
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1060-1-0x0000000002240000-0x0000000002251000-memory.dmp

Filesize
68KB

Download
memory/1060-2-0x0000000002700000-0x0000000002711000-memory.dmp

Filesize
68KB

Download