Analysis Overview
SHA256
a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0
Threat Level: Known bad
The file a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0 was found to be: Known bad.
Malicious Activity Summary
Buer
Buer Loader
Enumerates connected drives
Suspicious use of SetThreadContext
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-09-16 16:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-09-16 16:43
Reported
2020-09-16 16:45
Platform
win7
Max time kernel
34s
Max time network
41s
Command Line
Signatures
Buer
Buer Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1164 set thread context of 1764 | N/A | C:\Users\Admin\AppData\Local\Temp\a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe
"C:\Users\Admin\AppData\Local\Temp\a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
Files
memory/1164-0-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/1164-1-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/1164-3-0x0000000000950000-0x0000000000961000-memory.dmp
memory/1764-5-0x0000000040000000-0x000000004000C000-memory.dmp
memory/1764-6-0x0000000040002E00-mapping.dmp
memory/1764-7-0x0000000040000000-0x000000004000C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-09-16 16:43
Reported
2020-09-16 16:45
Platform
win10v200722
Max time kernel
103s
Max time network
113s
Command Line
Signatures
Buer
Buer Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3876 set thread context of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe
"C:\Users\Admin\AppData\Local\Temp\a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\563b80623112110d8474}"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | kackdelar.top | udp |
| N/A | 8.8.8.8:53 | kackdelar.top | udp |
| N/A | 8.8.8.8:53 | kackdelar.top | udp |
Files
memory/3876-0-0x0000000073530000-0x0000000073C1E000-memory.dmp
memory/3876-1-0x0000000000040000-0x0000000000041000-memory.dmp
memory/3876-3-0x0000000004920000-0x0000000004921000-memory.dmp
memory/3876-4-0x0000000004AE0000-0x0000000004AF1000-memory.dmp
memory/3248-6-0x0000000040000000-0x000000004000C000-memory.dmp
memory/3248-7-0x0000000040002E00-mapping.dmp
memory/3248-8-0x0000000040000000-0x000000004000C000-memory.dmp
memory/3748-9-0x0000000000000000-mapping.dmp
memory/3748-10-0x00000000733A0000-0x0000000073A8E000-memory.dmp
memory/3748-11-0x0000000006B40000-0x0000000006B41000-memory.dmp
memory/3748-12-0x0000000007210000-0x0000000007211000-memory.dmp
memory/3748-13-0x0000000007890000-0x0000000007891000-memory.dmp
memory/3748-14-0x0000000007930000-0x0000000007931000-memory.dmp
memory/3748-15-0x00000000079A0000-0x00000000079A1000-memory.dmp
memory/3748-16-0x0000000007BF0000-0x0000000007BF1000-memory.dmp
memory/3748-17-0x0000000008000000-0x0000000008001000-memory.dmp
memory/3748-18-0x0000000008510000-0x0000000008511000-memory.dmp
memory/3748-19-0x0000000008310000-0x0000000008311000-memory.dmp
memory/3748-21-0x00000000090B0000-0x00000000090E3000-memory.dmp
memory/3748-28-0x0000000009090000-0x0000000009091000-memory.dmp
memory/3748-29-0x0000000009200000-0x0000000009201000-memory.dmp
memory/3748-30-0x00000000095D0000-0x00000000095D1000-memory.dmp
memory/3748-31-0x0000000009570000-0x0000000009571000-memory.dmp
memory/3748-33-0x0000000009560000-0x0000000009561000-memory.dmp