Resubmissions
28-08-2020 12:47
200828-nd915gcv5n 828-08-2020 12:45
200828-q7w77zyk92 828-08-2020 12:39
200828-h3kmc18276 8Analysis
-
max time kernel
87s -
max time network
21s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
28-08-2020 12:47
General
-
Target
myfile.exe
-
Size
4.3MB
-
MD5
0a438448cebd370318b5294775e2405c
-
SHA1
60abd37bf94ee406653af60e5b72f1f69f646308
-
SHA256
1e40bce6e476e4c0485b3f813cff5d493b1e07f52a89b56a31765529b809ea33
-
SHA512
dc21a068d6aa3ce93a399d2b636a4dc17fd9b2f60c921eaadaef4eb0049c4ef5d1c09479c906660d0fa7bb7e688cdae54a36d9e73e35ac209e469a862c992976
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates connected drives 3 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Modifies Control Panel 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\myfile.exe"C:\Users\Admin\AppData\Local\Temp\myfile.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ABE9.tmp\ABEA.tmp\ABEB.bat C:\Users\Admin\AppData\Local\Temp\myfile.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Users\Admin\Desktop\HexInformation.exeHexInformation.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\HexDecryptor.exeHexDecryptor.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B24F.tmp\B250.tmp\B260.bat C:\Users\Admin\Desktop\HexDecryptor.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WindowsSystemTools.exeWindowsSystemTools.exe5⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
-
C:\Users\Admin\Desktop\HexLocker.exeHexLocker.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\Fixed.UnlockPublish.ppsx"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8x8x8
-
C:\Users\Admin\AppData\Local\Temp\ABE9.tmp\ABEA.tmp\ABEB.bat
-
C:\Users\Admin\AppData\Local\Temp\B24F.tmp\B250.tmp\B260.bat
-
C:\Users\Admin\AppData\Local\Temp\HexDCIF.hex
-
C:\Users\Admin\AppData\Local\Temp\HexIF.hex
-
C:\Users\Admin\AppData\Local\Temp\HexLK.hex
-
C:\Users\Admin\AppData\Local\Temp\rd000db.dll
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MicrosoftNTSystem.sys
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WindowsSystemTools.exe
-
C:\Users\Admin\Desktop\Fixed.UnlockPublish.ppsx
-
C:\Users\Admin\Desktop\HexDecryptor.exe
-
C:\Users\Admin\Desktop\HexDecryptor.exe
-
C:\Users\Admin\Desktop\HexInformation.exe
-
C:\Users\Admin\Desktop\HexInformation.exe
-
C:\Users\Admin\Desktop\HexLocker.exe
-
C:\Users\Admin\Desktop\HexLocker.exe
-
C:\Users\Admin\Desktop\Lock.CompressStep.wmf
-
C:\Users\Admin\Desktop\Lock.ConvertToConvertFrom.pot
-
C:\Users\Admin\Desktop\Lock.DismountSplit.odp
-
C:\Users\Admin\Desktop\Lock.EnterPublish.xsl
-
C:\Users\Admin\Desktop\Lock.ExitConvert.pub
-
C:\Users\Admin\Desktop\Lock.GetStep.jpe
-
C:\Users\Admin\Desktop\Lock.HexDecryptor.exe
-
C:\Users\Admin\Desktop\Lock.HexInformation.exe
-
C:\Users\Admin\Desktop\Lock.HexLocker.exe
-
C:\Users\Admin\Desktop\Lock.MeasureDismount.clr
-
C:\Users\Admin\Desktop\Lock.MeasureEnable.bmp
-
C:\Users\Admin\Desktop\Lock.MeasureMount.php
-
C:\Users\Admin\Desktop\Lock.MountPing.xps
-
C:\Users\Admin\Desktop\Lock.NewSelect.mp3
-
C:\Users\Admin\Desktop\Lock.PopSend.lnk
-
C:\Users\Admin\Desktop\Lock.RemoveReset.wmv
-
C:\Users\Admin\Desktop\Lock.RepairComplete.xml
-
C:\Users\Admin\Desktop\Lock.SaveSubmit.gif
-
C:\Users\Admin\Desktop\Lock.SendRestart.pptx
-
C:\Users\Admin\Desktop\Lock.StartRestore.mpa
-
C:\Users\Admin\Desktop\Lock.SuspendRedo.potm
-
C:\Users\Admin\Desktop\Lock.SuspendSkip.wmf
-
C:\Users\Admin\Desktop\Lock.UnlockPublish.ppsx
-
C:\Users\Admin\Desktop\Lock.UnlockReceive.3gp
-
C:\Users\Admin\Desktop\Lock.UseClear.ttf
-
C:\Users\Admin\Desktop\Lock.WatchWait.bmp
-
C:\Users\Admin\Desktop\Lock.desktop.ini
-
C:\Users\Admin\Documents\Lock.Are.docx
-
C:\Users\Admin\Documents\Lock.AssertDebug.pub
-
C:\Users\Admin\Documents\Lock.CloseDebug.vsdm
-
C:\Users\Admin\Documents\Lock.CompressEnter.xltx
-
C:\Users\Admin\Documents\Lock.ConfirmInvoke.odt
-
C:\Users\Admin\Documents\Lock.ConvertFromPing.vsw
-
C:\Users\Admin\Documents\Lock.DenyResize.htm
-
C:\Users\Admin\Documents\Lock.EditNew.dotx
-
C:\Users\Admin\Documents\Lock.Files.docx
-
C:\Users\Admin\Documents\Lock.InitializeCheckpoint.vssm
-
C:\Users\Admin\Documents\Lock.LockRemove.ods
-
C:\Users\Admin\Documents\Lock.Opened.docx
-
C:\Users\Admin\Documents\Lock.PushGet.csv
-
C:\Users\Admin\Documents\Lock.Recently.docx
-
C:\Users\Admin\Documents\Lock.RedoHide.ppsm
-
C:\Users\Admin\Documents\Lock.RemoveWrite.vdw
-
C:\Users\Admin\Documents\Lock.ResetClose.pps
-
C:\Users\Admin\Documents\Lock.ResumeStop.wps
-
C:\Users\Admin\Documents\Lock.SaveLimit.xla
-
C:\Users\Admin\Documents\Lock.SearchEnable.vsdx
-
C:\Users\Admin\Documents\Lock.SetOpen.xlsb
-
C:\Users\Admin\Documents\Lock.SetSplit.pptx
-
C:\Users\Admin\Documents\Lock.SyncPush.xltx
-
C:\Users\Admin\Documents\Lock.These.docx
-
C:\Users\Admin\Documents\Lock.UseLimit.ppsx
-
C:\Users\Admin\Documents\Lock.desktop.ini
-
C:\Users\Admin\Music\Lock.CloseSelect.lock
-
C:\Users\Admin\Music\Lock.DismountFind.xml
-
C:\Users\Admin\Music\Lock.ExitOpen.mp3
-
C:\Users\Admin\Music\Lock.RedoComplete.rtf
-
C:\Users\Admin\Music\Lock.RemoveFormat.hta
-
C:\Users\Admin\Music\Lock.RenameSplit.xml
-
C:\Users\Admin\Music\Lock.RepairUninstall.fon
-
C:\Users\Admin\Music\Lock.ResolveExit.vsx
-
C:\Users\Admin\Music\Lock.RestoreClear.ex_
-
C:\Users\Admin\Music\Lock.RestoreConfirm.mpe
-
C:\Users\Admin\Music\Lock.ResumeOut.mp4
-
C:\Users\Admin\Music\Lock.SaveSplit.mov
-
C:\Users\Admin\Music\Lock.SkipApprove.3g2
-
C:\Users\Admin\Music\Lock.SwitchWrite.emz
-
C:\Users\Admin\Music\Lock.TestMove.mpeg2
-
C:\Users\Admin\Music\Lock.UnlockShow.xht
-
C:\Users\Admin\Music\Lock.UnregisterResume.jfif
-
C:\Users\Admin\Music\Lock.WaitRepair.css
-
C:\Users\Admin\Music\Lock.desktop.ini
-
C:\Users\Admin\Pictures\Lock.AssertRegister.pcx
-
C:\Users\Admin\Pictures\Lock.ConnectDebug.jpeg
-
C:\Users\Admin\Pictures\Lock.DisableExpand.tiff
-
C:\Users\Admin\Pictures\Lock.EditRepair.png
-
C:\Users\Admin\Pictures\Lock.EditSelect.dib
-
C:\Users\Admin\Pictures\Lock.EnableUnpublish.jpg
-
C:\Users\Admin\Pictures\Lock.EnterResume.jpg
-
C:\Users\Admin\Pictures\Lock.EnterStop.raw
-
C:\Users\Admin\Pictures\Lock.ExitRestore.svgz
-
C:\Users\Admin\Pictures\Lock.ExpandSplit.jpg
-
C:\Users\Admin\Pictures\Lock.FormatRedo.ico
-
C:\Users\Admin\Pictures\Lock.GrantOptimize.dwg
-
C:\Users\Admin\Pictures\Lock.GrantRestart.dxf
-
C:\Users\Admin\Pictures\Lock.GroupDismount.jpeg
-
C:\Users\Admin\Pictures\Lock.GroupInstall.jpeg
-
C:\Users\Admin\Pictures\Lock.HidePing.tiff
-
C:\Users\Admin\Pictures\Lock.LimitInvoke.tif
-
C:\Users\Admin\Pictures\Lock.LockGrant.emf
-
C:\Users\Admin\Pictures\Lock.PopAdd.emz
-
C:\Users\Admin\Pictures\Lock.ProtectEnter.svg
-
C:\Users\Admin\Pictures\Lock.ReceiveRevoke.dxf
-
C:\Users\Admin\Pictures\Lock.RemoveFind.ico
-
C:\Users\Admin\Pictures\Lock.RenameHide.eps
-
C:\Users\Admin\Pictures\Lock.RepairRead.emz
-
C:\Users\Admin\Pictures\Lock.ResetExport.bmp
-
C:\Users\Admin\Pictures\Lock.ResetRepair.raw
-
C:\Users\Admin\Pictures\Lock.ShowMount.ico
-
C:\Users\Admin\Pictures\Lock.ShowUnprotect.dxf
-
C:\Users\Admin\Pictures\Lock.SplitWait.dib
-
C:\Users\Admin\Pictures\Lock.StartClose.dxf
-
C:\Users\Admin\Pictures\Lock.StepPublish.jpg
-
C:\Users\Admin\Pictures\Lock.StopGroup.tiff
-
C:\Users\Admin\Pictures\Lock.SubmitSkip.emf
-
C:\Users\Admin\Pictures\Lock.SwitchHide.eps
-
C:\Users\Admin\Pictures\Lock.UseDisconnect.wmf
-
C:\Users\Admin\Pictures\Lock.Wallpaper.jpg
-
C:\Users\Admin\Pictures\Lock.WatchEnter.raw
-
C:\Users\Admin\Pictures\Lock.desktop.ini
-
C:\Users\Admin\Videos\Lock.desktop.ini
-
C:\Users\Public\Documents\Lock.desktop.ini
-
C:\Users\Public\Pictures\Lock.desktop.ini
-
C:\Users\Public\Videos\Lock.desktop.ini
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\WindowsSystemTools.exe
-
memory/732-18-0x0000000000000000-mapping.dmp
-
memory/732-17-0x0000000000000000-mapping.dmp
-
memory/844-30-0x0000000000000000-mapping.dmp
-
memory/844-31-0x0000000000000000-mapping.dmp
-
memory/1040-23-0x0000000000000000-mapping.dmp
-
memory/1056-0-0x0000000000000000-mapping.dmp
-
memory/1356-3-0x0000000000000000-mapping.dmp
-
memory/1492-150-0x0000000004C30000-0x0000000004C34000-memory.dmpFilesize
16KB
-
memory/1596-148-0x000007FEF83B0000-0x000007FEF862A000-memory.dmpFilesize
2.5MB
-
memory/1704-2-0x0000000000000000-mapping.dmp
-
memory/1756-5-0x0000000000000000-mapping.dmp
-
memory/1784-4-0x0000000000000000-mapping.dmp
-
memory/1800-14-0x0000000000000000-mapping.dmp
-
memory/1800-15-0x0000000000000000-mapping.dmp
-
memory/1812-22-0x0000000074670000-0x0000000074D5E000-memory.dmpFilesize
6.9MB
-
memory/1812-11-0x0000000000000000-mapping.dmp
-
memory/1812-12-0x0000000000000000-mapping.dmp
-
memory/1812-26-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB
-
memory/1820-6-0x0000000000000000-mapping.dmp
