Analysis
-
max time kernel
3s -
max time network
11s -
platform
windows7_x64 -
resource
win7 -
submitted
25-10-2020 02:31
Static task
static1
Behavioral task
behavioral1
Sample
eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exe
-
Size
63KB
-
MD5
cb2787afad184a3aa6e43a305fd0b98b
-
SHA1
d3acf4090423b15554c0f96585145ef718d084cc
-
SHA256
eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574
-
SHA512
26a1357dc85a2f0a66e42ad3eb07c2c277c76ca4bfe7e69c2a802fe4d4fd3b8d4cfa96f36f710612f27a8abe05c8a88936250ed28c7f9f05722f4b9a98016134
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\localsys64.exe," eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exe -
Drops file in Windows directory 2 IoCs
Processes:
eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exedescription ioc process File opened for modification C:\Windows\localsys64.exe eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exe File created C:\Windows\localsys64.exe eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exepid process 1592 eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exe 1592 eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exedescription pid process Token: SeDebugPrivilege 1592 eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exe"C:\Users\Admin\AppData\Local\Temp\eea6030d71228d173ca040b33625151834941d2605513bc097b2f553ad09e574.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken