Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
29-07-2020 05:32
Static task
static1
Behavioral task
behavioral1
Sample
SKM_454e20070310530.scr
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SKM_454e20070310530.scr
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
SKM_454e20070310530.scr
-
Size
809KB
-
MD5
f5b3048dd2e673f152d32b45a627f75a
-
SHA1
231899877604d50a2692781358f090f0fdd21c62
-
SHA256
b1e971ba689623d9fbc5befb741a9d9e046515a0c05d0adc27a165471bc6303d
-
SHA512
36d5ee0eeb2472fd5f61ce34906f4b17ae64b609262009e5548697911216aa31f139cf95739cbbbb4036b9ff07de7135cb4bf990b7985e99c6cd6e4ade76c130
Score
8/10
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
SKM_454e20070310530.scrufynakmodi.exepid process 1232 SKM_454e20070310530.scr 1232 SKM_454e20070310530.scr 3584 ufynakmodi.exe 3584 ufynakmodi.exe -
Executes dropped EXE 2 IoCs
Processes:
ufynakmodi.exeufynakmodi.exepid process 3528 ufynakmodi.exe 3584 ufynakmodi.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 956 ipconfig.exe -
Modifies Windows Firewall 1 TTPs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 70 IoCs
Processes:
SKM_454e20070310530.scrSKM_454e20070310530.scrufynakmodi.exeufynakmodi.exepid process 720 SKM_454e20070310530.scr 720 SKM_454e20070310530.scr 1232 SKM_454e20070310530.scr 1232 SKM_454e20070310530.scr 3528 ufynakmodi.exe 3528 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe 3584 ufynakmodi.exe -
Suspicious use of WriteProcessMemory 83 IoCs
Processes:
SKM_454e20070310530.scrSKM_454e20070310530.scrufynakmodi.exeufynakmodi.execmd.exedescription pid process target process PID 720 wrote to memory of 1232 720 SKM_454e20070310530.scr SKM_454e20070310530.scr PID 720 wrote to memory of 1232 720 SKM_454e20070310530.scr SKM_454e20070310530.scr PID 720 wrote to memory of 1232 720 SKM_454e20070310530.scr SKM_454e20070310530.scr PID 1232 wrote to memory of 3528 1232 SKM_454e20070310530.scr ufynakmodi.exe PID 1232 wrote to memory of 3528 1232 SKM_454e20070310530.scr ufynakmodi.exe PID 1232 wrote to memory of 3528 1232 SKM_454e20070310530.scr ufynakmodi.exe PID 3528 wrote to memory of 3584 3528 ufynakmodi.exe ufynakmodi.exe PID 3528 wrote to memory of 3584 3528 ufynakmodi.exe ufynakmodi.exe PID 3528 wrote to memory of 3584 3528 ufynakmodi.exe ufynakmodi.exe PID 1232 wrote to memory of 3872 1232 SKM_454e20070310530.scr cmd.exe PID 1232 wrote to memory of 3872 1232 SKM_454e20070310530.scr cmd.exe PID 1232 wrote to memory of 3872 1232 SKM_454e20070310530.scr cmd.exe PID 3584 wrote to memory of 2660 3584 ufynakmodi.exe sihost.exe PID 3584 wrote to memory of 2660 3584 ufynakmodi.exe sihost.exe PID 3584 wrote to memory of 2660 3584 ufynakmodi.exe sihost.exe PID 3584 wrote to memory of 2660 3584 ufynakmodi.exe sihost.exe PID 3584 wrote to memory of 2660 3584 ufynakmodi.exe sihost.exe PID 3584 wrote to memory of 2672 3584 ufynakmodi.exe svchost.exe PID 3584 wrote to memory of 2672 3584 ufynakmodi.exe svchost.exe PID 3584 wrote to memory of 2672 3584 ufynakmodi.exe svchost.exe PID 3584 wrote to memory of 2672 3584 ufynakmodi.exe svchost.exe PID 3584 wrote to memory of 2672 3584 ufynakmodi.exe svchost.exe PID 3584 wrote to memory of 2808 3584 ufynakmodi.exe taskhostw.exe PID 3584 wrote to memory of 2808 3584 ufynakmodi.exe taskhostw.exe PID 3584 wrote to memory of 2808 3584 ufynakmodi.exe taskhostw.exe PID 3584 wrote to memory of 2808 3584 ufynakmodi.exe taskhostw.exe PID 3584 wrote to memory of 2808 3584 ufynakmodi.exe taskhostw.exe PID 3584 wrote to memory of 2984 3584 ufynakmodi.exe Explorer.EXE PID 3584 wrote to memory of 2984 3584 ufynakmodi.exe Explorer.EXE PID 3584 wrote to memory of 2984 3584 ufynakmodi.exe Explorer.EXE PID 3584 wrote to memory of 2984 3584 ufynakmodi.exe Explorer.EXE PID 3584 wrote to memory of 2984 3584 ufynakmodi.exe Explorer.EXE PID 3584 wrote to memory of 3136 3584 ufynakmodi.exe ShellExperienceHost.exe PID 3584 wrote to memory of 3136 3584 ufynakmodi.exe ShellExperienceHost.exe PID 3584 wrote to memory of 3136 3584 ufynakmodi.exe ShellExperienceHost.exe PID 3584 wrote to memory of 3136 3584 ufynakmodi.exe ShellExperienceHost.exe PID 3584 wrote to memory of 3136 3584 ufynakmodi.exe ShellExperienceHost.exe PID 3584 wrote to memory of 3148 3584 ufynakmodi.exe SearchUI.exe PID 3584 wrote to memory of 3148 3584 ufynakmodi.exe SearchUI.exe PID 3584 wrote to memory of 3148 3584 ufynakmodi.exe SearchUI.exe PID 3584 wrote to memory of 3148 3584 ufynakmodi.exe SearchUI.exe PID 3584 wrote to memory of 3148 3584 ufynakmodi.exe SearchUI.exe PID 3584 wrote to memory of 3376 3584 ufynakmodi.exe RuntimeBroker.exe PID 3584 wrote to memory of 3376 3584 ufynakmodi.exe RuntimeBroker.exe PID 3584 wrote to memory of 3376 3584 ufynakmodi.exe RuntimeBroker.exe PID 3584 wrote to memory of 3376 3584 ufynakmodi.exe RuntimeBroker.exe PID 3584 wrote to memory of 3376 3584 ufynakmodi.exe RuntimeBroker.exe PID 3584 wrote to memory of 3600 3584 ufynakmodi.exe DllHost.exe PID 3584 wrote to memory of 3600 3584 ufynakmodi.exe DllHost.exe PID 3584 wrote to memory of 3600 3584 ufynakmodi.exe DllHost.exe PID 3584 wrote to memory of 3600 3584 ufynakmodi.exe DllHost.exe PID 3584 wrote to memory of 3600 3584 ufynakmodi.exe DllHost.exe PID 3584 wrote to memory of 3836 3584 ufynakmodi.exe backgroundTaskHost.exe PID 3584 wrote to memory of 3836 3584 ufynakmodi.exe backgroundTaskHost.exe PID 3584 wrote to memory of 3836 3584 ufynakmodi.exe backgroundTaskHost.exe PID 3584 wrote to memory of 3836 3584 ufynakmodi.exe backgroundTaskHost.exe PID 3584 wrote to memory of 3836 3584 ufynakmodi.exe backgroundTaskHost.exe PID 3584 wrote to memory of 3388 3584 ufynakmodi.exe cmd.exe PID 3584 wrote to memory of 3388 3584 ufynakmodi.exe cmd.exe PID 3584 wrote to memory of 3388 3584 ufynakmodi.exe cmd.exe PID 3388 wrote to memory of 2208 3388 cmd.exe HOSTNAME.EXE PID 3388 wrote to memory of 2208 3388 cmd.exe HOSTNAME.EXE PID 3388 wrote to memory of 2208 3388 cmd.exe HOSTNAME.EXE PID 3388 wrote to memory of 956 3388 cmd.exe ipconfig.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
SKM_454e20070310530.scrufynakmodi.exepid process 720 SKM_454e20070310530.scr 3528 ufynakmodi.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
SKM_454e20070310530.scrufynakmodi.exedescription pid process target process PID 720 set thread context of 1232 720 SKM_454e20070310530.scr SKM_454e20070310530.scr PID 3528 set thread context of 3584 3528 ufynakmodi.exe ufynakmodi.exe -
Suspicious use of AdjustPrivilegeToken 1443 IoCs
Processes:
SKM_454e20070310530.scrufynakmodi.exetasklist.exedescription pid process Token: SeSecurityPrivilege 1232 SKM_454e20070310530.scr Token: SeSecurityPrivilege 1232 SKM_454e20070310530.scr Token: SeSecurityPrivilege 1232 SKM_454e20070310530.scr Token: SeSecurityPrivilege 1232 SKM_454e20070310530.scr Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeDebugPrivilege 2160 tasklist.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe Token: SeSecurityPrivilege 3584 ufynakmodi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ufynakmodi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Woyxabc = "C:\\Users\\Admin\\AppData\\Roaming\\Biugfyqunu\\ufynakmodi.exe" ufynakmodi.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run ufynakmodi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Currentversion\Run ufynakmodi.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.scr"C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.scr" /S2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.scr"C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.scr" /S3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe"C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe"C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe"5⤵
- Loads dropped DLL
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.execmd.exe6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\HOSTNAME.EXEhostname7⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all7⤵
- Gathers network information
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable7⤵
-
C:\Windows\SysWOW64\net.exenet share7⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6a775f43.bat"4⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6a775f43.bat
-
C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe
-
C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe
-
C:\Users\Admin\AppData\Roaming\Biugfyqunu\ufynakmodi.exe
-
\Users\Admin\AppData\Local\Temp\tmpE5DB.tmp
-
\Users\Admin\AppData\Local\Temp\tmpE5FC.tmp
-
\Users\Admin\AppData\Local\Temp\tmpF424.tmp
-
\Users\Admin\AppData\Local\Temp\tmpF444.tmp
-
memory/724-21-0x0000000000000000-mapping.dmp
-
memory/956-18-0x0000000000000000-mapping.dmp
-
memory/980-20-0x0000000000000000-mapping.dmp
-
memory/1232-0-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1232-2-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1232-1-0x000000000043F4D4-mapping.dmp
-
memory/2160-19-0x0000000000000000-mapping.dmp
-
memory/2208-17-0x0000000000000000-mapping.dmp
-
memory/3388-16-0x0000000000000000-mapping.dmp
-
memory/3528-5-0x0000000000000000-mapping.dmp
-
memory/3584-9-0x000000000043F4D4-mapping.dmp
-
memory/3680-22-0x0000000000000000-mapping.dmp
-
memory/3872-12-0x0000000000000000-mapping.dmp