Static

static

cea813cbef...71.exe

windows7_x64

8

cea813cbef...71.exe

windows10_x64

8

Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    12/10/2020, 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cea813cbef6581e0c95aacb2e747f5951325444b941e801164154917a17bfe71.exe

  • Size

    206KB

  • MD5

    e883226589b32952d07e057c468ffbb8

  • SHA1

    3e424264572d0d986fa3ae49c98f566ba7d8e2d7

  • SHA256

    cea813cbef6581e0c95aacb2e747f5951325444b941e801164154917a17bfe71

  • SHA512

    9520111d2cab4c760ee6a91148265dc3fbd65f37688ed8a9aeed543fe99a565c4fe47f22abbf067d2d81ddd4cc69106a9fdba823d3a1af80882bce61dd312487

Score
8/10

Malware Config

Signatures

  • Blacklisted process makes network request 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 10 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cea813cbef6581e0c95aacb2e747f5951325444b941e801164154917a17bfe71.exe
    "C:\Users\Admin\AppData\Local\Temp\cea813cbef6581e0c95aacb2e747f5951325444b941e801164154917a17bfe71.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\ProgramData\a76878f016\skdbn.exe
      "C:\ProgramData\a76878f016\skdbn.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN skdbn.exe /TR "C:\ProgramData\a76878f016\skdbn.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:1992
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\ProgramData\a76878f016\cred.dll, Main
        3⤵
        • Blacklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:324
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\ProgramData\a76878f016\scr.dll, Main
        3⤵
        • Blacklisted process makes network request
        • Loads dropped DLL
        PID:612
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3F675656-26D2-49F6-A13B-D672273DA121} S-1-5-21-403932158-3302036622-1224131197-1000:ELJKIHEZ\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\ProgramData\a76878f016\skdbn.exe
      C:\ProgramData\a76878f016\skdbn.exe
      2⤵
      • Executes dropped EXE
      PID:468
    • C:\ProgramData\a76878f016\skdbn.exe
      C:\ProgramData\a76878f016\skdbn.exe
      2⤵
      • Executes dropped EXE
      PID:1440
    • C:\ProgramData\a76878f016\skdbn.exe
      C:\ProgramData\a76878f016\skdbn.exe
      2⤵
      • Executes dropped EXE
      PID:1236

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/468-14-0x000000000335B000-0x000000000335C000-memory.dmp

    Filesize

    4KB

    Download

  • memory/468-15-0x0000000004B60000-0x0000000004B71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/776-1-0x0000000004CC0000-0x0000000004CD1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/776-0-0x000000000333B000-0x000000000333C000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1124-10-0x000007FEF68A0000-0x000007FEF6B1A000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1236-37-0x0000000004A70000-0x0000000004A81000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1236-36-0x00000000002CB000-0x00000000002CC000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1440-32-0x0000000004A30000-0x0000000004A41000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1440-31-0x00000000033BB000-0x00000000033BC000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1580-6-0x000000000336B000-0x000000000336C000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1580-7-0x0000000004B70000-0x0000000004B81000-memory.dmp

    Filesize

    68KB

    Download