5a0d4e16c600a48069617e979532ae81267629be4ad2417db0b88988c832bdd4 | Triage

Analysis

max time kernel
75s
max time network
111s
platform
windows10_x64
resource
win10v200722
submitted
01-09-2020 12:01

Sharing

Report Analysis Logs

General

Target

C620F33063425F3.exe
Size

160KB
MD5

b50c7fa89523b0df32198f1d06a5a1a8
SHA1

81dabe2b7ec266c6a120967724afd880a0a6d97e
SHA256

5a0d4e16c600a48069617e979532ae81267629be4ad2417db0b88988c832bdd4
SHA512

c2364453a23a191d41d2c3db222184e7f56e56735a325f311b1afd24bc833239f0fc0886110d89eaa96abca9a4610e01495227e151fa8b5ec21e031d44ade166

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 7f9469e36880d601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeShutdownPrivilege 564 svchost.exe
Token: SeCreatePagefilePrivilege 564 svchost.exe

C:\Users\Admin\AppData\Local\Temp\C620F33063425F3.exe
"C:\Users\Admin\AppData\Local\Temp\C620F33063425F3.exe"
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:564

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...