Analysis
-
max time kernel
55s -
max time network
112s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
13-10-2020 21:45
Static task
static1
Behavioral task
behavioral2
Sample
File2.exe
Resource
win10v200722
General
-
Target
File2.exe
-
Size
210KB
-
MD5
12368655038e920cb2ada7d34fac40dd
-
SHA1
fca002da98c91b019a3fab4639a4b6e4d0de43d7
-
SHA256
9f654fe304bd80d1114c515362319c59bc569a54cb445aacdf47672d56815da1
-
SHA512
caa8e284640c31ad4c7b86945a71ad46aa2eb8bb7e47358b67b5fa575cac2894ad5d8d41e26a7782d7e080d8126c2c377e7bcc8e3ff2f5785c9c60119c519d0e
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
File2.exedescription pid process target process PID 3816 created 3016 3816 File2.exe Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
File2.exedescription pid process target process PID 3816 set thread context of 3888 3816 File2.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
File2.exepid process 3816 File2.exe 3816 File2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
File2.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3816 File2.exe Token: SeSecurityPrivilege 3888 msiexec.exe Token: SeSecurityPrivilege 3888 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
File2.exedescription pid process target process PID 3816 wrote to memory of 3888 3816 File2.exe msiexec.exe PID 3816 wrote to memory of 3888 3816 File2.exe msiexec.exe PID 3816 wrote to memory of 3888 3816 File2.exe msiexec.exe PID 3816 wrote to memory of 3888 3816 File2.exe msiexec.exe PID 3816 wrote to memory of 3888 3816 File2.exe msiexec.exe
Processes
-
C:\Windows\Explorer.EXEPID:3016C:\Windows\Explorer.EXE
-
C:\Users\Admin\AppData\Local\Temp\File2.exePID:3816"C:\Users\Admin\AppData\Local\Temp\File2.exe"Suspicious use of NtCreateUserProcessOtherParentProcessSuspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exePID:3888msiexec.exeSuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
00:00
00:00
Downloads
-
memory/3816-0-0x0000000000BF6000-0x0000000000BF7000-memory.dmpFilesize
4KB
-
memory/3816-1-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/3888-2-0x0000000002F30000-0x0000000002F5D000-memory.dmpFilesize
180KB
-
memory/3888-3-0x0000000000000000-mapping.dmp
Loading data