Analysis
-
max time kernel
129s -
max time network
121s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 10:24
Behavioral task
behavioral1
Sample
qkuriw.jpg.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
qkuriw.jpg.exe
-
Size
182KB
-
MD5
7af33570ec886974f5513b46e999b988
-
SHA1
6b9e35f3131fdc4bd8ea66cd44303cb1004b2019
-
SHA256
da4647425789cc5a32d2719815367c8c21d2279a77a3179e609e1db9844ef15a
-
SHA512
2c8cd12d2ed3f0e62358e696115d6422fa808c89dee0b9d0f157b54806d4796f84d7a7b0208a6c295cf368d777d2ad83a9908d2137842c749d6807bc926265d7
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
qkuriw.jpg.exepid process 608 qkuriw.jpg.exe 608 qkuriw.jpg.exe 608 qkuriw.jpg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
qkuriw.jpg.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 608 qkuriw.jpg.exe Token: SeShutdownPrivilege 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
qkuriw.jpg.exepid process 608 qkuriw.jpg.exe 608 qkuriw.jpg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
qkuriw.jpg.exedescription pid process target process PID 608 set thread context of 1208 608 qkuriw.jpg.exe Explorer.EXE PID 608 set thread context of 1208 608 qkuriw.jpg.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\qkuriw.jpg.exe"C:\Users\Admin\AppData\Local\Temp\qkuriw.jpg.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1208-0-0x00000000075B0000-0x00000000076FF000-memory.dmpFilesize
1.3MB