Analysis
-
max time kernel
115s -
max time network
151s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 13:42
Static task
static1
Behavioral task
behavioral1
Sample
cleanur.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
cleanur.exe
Resource
win10
General
-
Target
cleanur.exe
-
Size
6KB
-
MD5
fef1116364a9d490f0328fb58a4677b1
-
SHA1
2043a18ab381c80358355b1aed5ca8bc0e21afa6
-
SHA256
039ebab7c1d8c4138ac72642a8c6b9b3d08fb085a405b1a0bf059c840b999e02
-
SHA512
9d86d3310c3507c7979a6b8f418b467bd2eb8c2a98ae0e9f0c5288c56c05eeb5f6e45ae3d966a680b6ac03ec2d407ff581ab7ffb2032f5eb0b33d972f9f82737
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AltDriver2.exepid process 3900 AltDriver2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cleanur.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\AltDriver2.exe = "C:\\Users\\Admin\\AltDriver2.exe" cleanur.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cleanur.exeAltDriver2.exedescription pid process Token: SeDebugPrivilege 3620 cleanur.exe Token: SeDebugPrivilege 3900 AltDriver2.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cleanur.exedescription pid process target process PID 3620 wrote to memory of 3900 3620 cleanur.exe AltDriver2.exe PID 3620 wrote to memory of 3900 3620 cleanur.exe AltDriver2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cleanur.exe"C:\Users\Admin\AppData\Local\Temp\cleanur.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AltDriver2.exe"C:\Users\Admin\AltDriver2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AltDriver2.exeMD5
fef1116364a9d490f0328fb58a4677b1
SHA12043a18ab381c80358355b1aed5ca8bc0e21afa6
SHA256039ebab7c1d8c4138ac72642a8c6b9b3d08fb085a405b1a0bf059c840b999e02
SHA5129d86d3310c3507c7979a6b8f418b467bd2eb8c2a98ae0e9f0c5288c56c05eeb5f6e45ae3d966a680b6ac03ec2d407ff581ab7ffb2032f5eb0b33d972f9f82737
-
C:\Users\Admin\AltDriver2.exeMD5
fef1116364a9d490f0328fb58a4677b1
SHA12043a18ab381c80358355b1aed5ca8bc0e21afa6
SHA256039ebab7c1d8c4138ac72642a8c6b9b3d08fb085a405b1a0bf059c840b999e02
SHA5129d86d3310c3507c7979a6b8f418b467bd2eb8c2a98ae0e9f0c5288c56c05eeb5f6e45ae3d966a680b6ac03ec2d407ff581ab7ffb2032f5eb0b33d972f9f82737
-
memory/3900-0-0x0000000000000000-mapping.dmp