Analysis
-
max time kernel
41s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02-11-2020 09:02
Static task
static1
Behavioral task
behavioral1
Sample
linkcry.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
linkcry.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
linkcry.exe
-
Size
64KB
-
MD5
3e7f16258f8bc23716ffcdf50c661364
-
SHA1
d8d006c70493810a449332c101653fe35e2f631c
-
SHA256
6470996233863f34bf05faf3f268bac2e8a137cc513ee754442a6d44392c8fa0
-
SHA512
ca4f06e37a9fb1b9ffeccaaff3f7e00788a0ffea63482671d7a2438d3ee79bba17fe7b82059cb7a953fc01a44d4cef9acfe6a6909b69deb9620482cc64146358
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
linkcry.exelinkcry.exepid process 336 linkcry.exe 1768 linkcry.exe 1768 linkcry.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
linkcry.exedescription pid process target process PID 336 set thread context of 1768 336 linkcry.exe linkcry.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1728 1768 WerFault.exe linkcry.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
linkcry.exepid process 336 linkcry.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1728 WerFault.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
linkcry.exepid process 336 linkcry.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
linkcry.exelinkcry.exedescription pid process target process PID 336 wrote to memory of 1768 336 linkcry.exe linkcry.exe PID 336 wrote to memory of 1768 336 linkcry.exe linkcry.exe PID 336 wrote to memory of 1768 336 linkcry.exe linkcry.exe PID 336 wrote to memory of 1768 336 linkcry.exe linkcry.exe PID 336 wrote to memory of 1768 336 linkcry.exe linkcry.exe PID 1768 wrote to memory of 1728 1768 linkcry.exe WerFault.exe PID 1768 wrote to memory of 1728 1768 linkcry.exe WerFault.exe PID 1768 wrote to memory of 1728 1768 linkcry.exe WerFault.exe PID 1768 wrote to memory of 1728 1768 linkcry.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\linkcry.exe"C:\Users\Admin\AppData\Local\Temp\linkcry.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\linkcry.exe"C:\Users\Admin\AppData\Local\Temp\linkcry.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 13363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/844-3-0x000007FEF7D30000-0x000007FEF7FAA000-memory.dmpFilesize
2.5MB
-
memory/1728-19-0x0000000002840000-0x0000000002851000-memory.dmpFilesize
68KB
-
memory/1728-4-0x0000000000000000-mapping.dmp
-
memory/1728-5-0x0000000002070000-0x0000000002081000-memory.dmpFilesize
68KB
-
memory/1768-10-0x00000000004011E8-mapping.dmp
-
memory/1768-13-0x00000000004011E8-mapping.dmp
-
memory/1768-8-0x00000000004011E8-mapping.dmp
-
memory/1768-9-0x00000000004011E8-mapping.dmp
-
memory/1768-2-0x00000000004011E8-mapping.dmp
-
memory/1768-11-0x00000000004011E8-mapping.dmp
-
memory/1768-12-0x00000000004011E8-mapping.dmp
-
memory/1768-7-0x00000000004011E8-mapping.dmp
-
memory/1768-14-0x00000000004011E8-mapping.dmp
-
memory/1768-15-0x00000000004011E8-mapping.dmp
-
memory/1768-16-0x00000000004011E8-mapping.dmp
-
memory/1768-17-0x00000000004011E8-mapping.dmp
-
memory/1768-18-0x00000000004011E8-mapping.dmp
-
memory/1768-6-0x00000000004011E8-mapping.dmp