Overview

overview

8

Static

static

SKM_454e20...30.SCR

windows7_x64

8

SKM_454e20...30.SCR

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    29-07-2020 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SKM_454e20070310530.SCR

  • Size

    808KB

  • MD5

    fd239f6ff382ff48c0b544c650f7e04b

  • SHA1

    f07e1454a8b708c150490fc454623519dfd6cef3

  • SHA256

    b68844095af181c139ed272cb04e830f803770518ad9dd78cb789e8f4571b4c3

  • SHA512

    122000268724443c5bcfb5a071310e31f838ccee106e868bcdf0ee8d045617e3b65ac52495c6e7cda54b0aec530aa130473b07c5b7114e44a48b64989213b86f

Score
8/10
persistence

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 68 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1420 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence

Processes

  • c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2668
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
      1⤵
        PID:2680
      • c:\windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2784
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:2984
            • C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.SCR
              "C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.SCR" /S
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetThreadContext
              PID:2192
              • C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.SCR
                "C:\Users\Admin\AppData\Local\Temp\SKM_454e20070310530.SCR" /S
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                • Loads dropped DLL
                • Suspicious use of AdjustPrivilegeToken
                PID:3888
                • C:\Users\Admin\AppData\Roaming\Duocfuupyz\ykepitewnok.exe
                  "C:\Users\Admin\AppData\Roaming\Duocfuupyz\ykepitewnok.exe"
                  4⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of SetThreadContext
                  • Executes dropped EXE
                  PID:3928
                  • C:\Users\Admin\AppData\Roaming\Duocfuupyz\ykepitewnok.exe
                    "C:\Users\Admin\AppData\Roaming\Duocfuupyz\ykepitewnok.exe"
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    • Loads dropped DLL
                    • Suspicious use of AdjustPrivilegeToken
                    • Executes dropped EXE
                    • Adds Run key to start application
                    PID:3488
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp823cbc18.bat"
                  4⤵
                    PID:696
            • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
              "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
              1⤵
                PID:3140
              • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
                1⤵
                  PID:3156
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                    PID:3380
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3700
                    • C:\Windows\system32\backgroundTaskHost.exe
                      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
                      1⤵
                        PID:3280

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Registry Run Keys / Startup Folder

                      1
                      T1060

                      Privilege Escalation

                      Defense Evasion

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Discovery

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\tmp823cbc18.bat
                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Duocfuupyz\ykepitewnok.exe
                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Duocfuupyz\ykepitewnok.exe
                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Duocfuupyz\ykepitewnok.exe
                        Download Submit
                      • \Users\Admin\AppData\Local\Temp\tmp14EA.tmp
                        Download Submit
                      • \Users\Admin\AppData\Local\Temp\tmp14FB.tmp
                        Download Submit
                      • \Users\Admin\AppData\Local\Temp\tmp6F0.tmp
                        Download Submit
                      • \Users\Admin\AppData\Local\Temp\tmp701.tmp
                        Download Submit
                      • memory/696-12-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3488-9-0x000000000043F4D4-mapping.dmp
                        Download
                      • memory/3888-0-0x0000000000400000-0x0000000000447000-memory.dmp
                        Filesize

                        284KB

                        Download
                      • memory/3888-2-0x0000000000400000-0x0000000000447000-memory.dmp
                        Filesize

                        284KB

                        Download
                      • memory/3888-1-0x000000000043F4D4-mapping.dmp
                        Download
                      • memory/3928-5-0x0000000000000000-mapping.dmp
                        Download