Analysis
-
max time kernel
147s -
max time network
51s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 10:04
Static task
static1
Behavioral task
behavioral1
Sample
ATR1.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
ATR1.exe
Resource
win10
General
-
Target
ATR1.exe
-
Size
574KB
-
MD5
020d56ce7d0a45a896c811550e05ce9d
-
SHA1
814c8ddbc50e9e158e63bdd745d683dcb636c2a6
-
SHA256
06078629129c4bc1abb214bbbe1bfadca65b618ac9f6f93fc3b22d0a37740f5b
-
SHA512
ce565aafb7593d5aa8393a46d27823a90c26e923a15a77252e0be1dbae4845254aa83f35ea44c18964490a7769431aeecffb80052e1f1b5af4b44d8028122dff
Malware Config
Signatures
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
ATR1.exeATR1.exeipconfig.exedescription pid process target process PID 1088 set thread context of 596 1088 ATR1.exe ATR1.exe PID 596 set thread context of 1300 596 ATR1.exe Explorer.EXE PID 596 set thread context of 1300 596 ATR1.exe Explorer.EXE PID 1612 set thread context of 1300 1612 ipconfig.exe Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ATR1.exeipconfig.exepid process 596 ATR1.exe 596 ATR1.exe 596 ATR1.exe 596 ATR1.exe 1612 ipconfig.exe 1612 ipconfig.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1580 cmd.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
ATR1.exeATR1.exeipconfig.exepid process 1088 ATR1.exe 1088 ATR1.exe 1088 ATR1.exe 596 ATR1.exe 596 ATR1.exe 596 ATR1.exe 1612 ipconfig.exe 1612 ipconfig.exe 1612 ipconfig.exe 1612 ipconfig.exe 1612 ipconfig.exe 1612 ipconfig.exe 1612 ipconfig.exe 1612 ipconfig.exe 1612 ipconfig.exe 1612 ipconfig.exe 1612 ipconfig.exe 1612 ipconfig.exe 1612 ipconfig.exe 1612 ipconfig.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
ATR1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ATR1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ATR1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ATR1.exeATR1.exeipconfig.exedescription pid process Token: SeDebugPrivilege 1088 ATR1.exe Token: SeDebugPrivilege 596 ATR1.exe Token: SeDebugPrivilege 1612 ipconfig.exe -
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/596-2-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/596-2-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/596-3-0x000000000041E2F0-mapping.dmp formbook behavioral1/memory/1612-5-0x0000000000000000-mapping.dmp formbook -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ATR1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ATR1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ATR1.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1612 ipconfig.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ATR1.exeATR1.exeipconfig.exedescription pid process target process PID 1088 wrote to memory of 596 1088 ATR1.exe ATR1.exe PID 1088 wrote to memory of 596 1088 ATR1.exe ATR1.exe PID 1088 wrote to memory of 596 1088 ATR1.exe ATR1.exe PID 1088 wrote to memory of 596 1088 ATR1.exe ATR1.exe PID 1088 wrote to memory of 596 1088 ATR1.exe ATR1.exe PID 1088 wrote to memory of 596 1088 ATR1.exe ATR1.exe PID 1088 wrote to memory of 596 1088 ATR1.exe ATR1.exe PID 596 wrote to memory of 1612 596 ATR1.exe ipconfig.exe PID 596 wrote to memory of 1612 596 ATR1.exe ipconfig.exe PID 596 wrote to memory of 1612 596 ATR1.exe ipconfig.exe PID 596 wrote to memory of 1612 596 ATR1.exe ipconfig.exe PID 1612 wrote to memory of 1580 1612 ipconfig.exe cmd.exe PID 1612 wrote to memory of 1580 1612 ipconfig.exe cmd.exe PID 1612 wrote to memory of 1580 1612 ipconfig.exe cmd.exe PID 1612 wrote to memory of 1580 1612 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\ATR1.exe"C:\Users\Admin\AppData\Local\Temp\ATR1.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ATR1.exe"C:\Users\Admin\AppData\Local\Temp\ATR1.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Gathers network information
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ATR1.exe"5⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/596-2-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/596-3-0x000000000041E2F0-mapping.dmp
-
memory/1088-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1300-4-0x0000000004B00000-0x0000000004C1D000-memory.dmpFilesize
1.1MB
-
memory/1300-9-0x00000000069E0000-0x0000000006AE4000-memory.dmpFilesize
1.0MB
-
memory/1580-7-0x0000000000000000-mapping.dmp
-
memory/1612-5-0x0000000000000000-mapping.dmp
-
memory/1612-6-0x00000000003B0000-0x00000000003BA000-memory.dmpFilesize
40KB
-
memory/1612-8-0x0000000003040000-0x0000000003149000-memory.dmpFilesize
1.0MB