Resubmissions

20-09-2020 09:53

200920-9rh6v6y6ga 10

20-09-2020 09:09

200920-94a3wvdaln 10

20-09-2020 07:26

200920-gyqrj2hcqj 10

20-09-2020 07:11

200920-xak2q5j4ha 10

Analysis

  • max time kernel
    41s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    20-09-2020 07:26

General

  • Target

    ioxyfx.dat.exe

  • Size

    7.1MB

  • MD5

    d5f9fa1a8dca5319432f51a5891f7794

  • SHA1

    2a937328f5b99eccb9b8c13ed71d6ffb9dff4521

  • SHA256

    18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055

  • SHA512

    87013b63a9b153c5268784928394dfbf1eeff1b91eea6bdf187025e63d25c535e468e59a33f47d23682a386605bb314311e50a7edd1d6deb1b60f5008237a7d0

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Modifies service 2 TTPs 5 IoCs
  • Drops file in Program Files directory 11856 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 7 IoCs
  • Modifies data under HKEY_USERS 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ioxyfx.dat.exe
    "C:\Users\Admin\AppData\Local\Temp\ioxyfx.dat.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3908
    • C:\ProgramData\ioxyfx.dat.exe
      C:\ProgramData\ioxyfx.dat.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM MSExchange*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2640
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM Microsoft*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2744
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM ora*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM tns*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3696
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM mysql*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3452
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM sql*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:280
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM postgres*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3036
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:996
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1872

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads