Analysis

  • max time kernel
    150s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01/11/2020, 05:52

General

  • Target

    ee51d6f18eed049428097cce7f44fb1a6dca363adca30680de17918232b0b0af.bin.sample.exe

  • Size

    141KB

  • MD5

    0385420851811ec54932ff743742821d

  • SHA1

    85b921db2110988862c69fa3f236fc4ff3663172

  • SHA256

    ee51d6f18eed049428097cce7f44fb1a6dca363adca30680de17918232b0b0af

  • SHA512

    3c5cfd147d2f65f8bd7f10e37a21c4ef6e8c549b438910fd68e2eb4070b443b2172c27200a35590a6f1874c5b5c740bf7070d231a3c2f118ea84f762a6a533c3

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 471 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 226 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee51d6f18eed049428097cce7f44fb1a6dca363adca30680de17918232b0b0af.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\ee51d6f18eed049428097cce7f44fb1a6dca363adca30680de17918232b0b0af.bin.sample.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3008-0-0x00007FF81EA60000-0x00007FF81F44C000-memory.dmp

    Filesize

    9.9MB

  • memory/3008-1-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB