Analysis
-
max time kernel
132s -
max time network
138s -
platform
windows7_x64 -
resource
win7 -
submitted
06-09-2020 17:05
Static task
static1
Behavioral task
behavioral1
Sample
a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exe
-
Size
148KB
-
MD5
82e3060e99dbacdcc8f57a45ba3a6d9e
-
SHA1
43752d70a00c6d33a4052f946cd5ac48e2909697
-
SHA256
a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad
-
SHA512
03217487dd8efc45111ad8cf9fe0ff2fc09e9a512ba8e71536675639b5e61a67b077da8f75a068aaa2c63e0961dfb87535bff8e7430c234cf4cd596f01950e90
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\nologon32.exe," a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exe -
Drops file in System32 directory 2 IoCs
Processes:
a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exedescription ioc process File opened for modification C:\Windows\SysWOW64\nologon32.exe a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exe File created C:\Windows\SysWOW64\nologon32.exe a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exepid process 1316 a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exe 1316 a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exedescription pid process Token: SeDebugPrivilege 1316 a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exe"C:\Users\Admin\AppData\Local\Temp\a70fc544fd76d068158a8d86bad3130ed112134462786c85a05f5375740eddad.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken