Analysis
-
max time kernel
7s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-11-2020 14:32
Static task
static1
Behavioral task
behavioral1
Sample
b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe
Resource
win7v20201028
General
-
Target
b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe
-
Size
585KB
-
MD5
2f84065b4d10029d655fe5240b918a82
-
SHA1
160d060a7dca7dff8e4ededa01b1981faf84fcfb
-
SHA256
b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3
-
SHA512
ef00a3926dd3a60b33fa6ea4eeadebc55be77100ce0425250de471b7293cb46a4336f94952399bada7f82e084d9ecb7c27b0c6272fd1bfe07e4b4fda62f87995
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1084 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exedescription pid process Token: SeDebugPrivilege 1824 b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.execmd.exedescription pid process target process PID 1824 wrote to memory of 1060 1824 b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe cmd.exe PID 1824 wrote to memory of 1060 1824 b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe cmd.exe PID 1824 wrote to memory of 1060 1824 b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe cmd.exe PID 1060 wrote to memory of 1084 1060 cmd.exe timeout.exe PID 1060 wrote to memory of 1084 1060 cmd.exe timeout.exe PID 1060 wrote to memory of 1084 1060 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe"C:\Users\Admin\AppData\Local\Temp\b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1CB1.tmp.cmd""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1CB1.tmp.cmdMD5
32fee22b5f8cc6da1ec2876df130510a
SHA1e274a6dac160daf0e310306f68ac3b7afe1d6461
SHA256eb642e3a321e03c69ad3140ca0bb8b1ec3f0860df98a874e96b0137caa0666c6
SHA5122ef3da8bfafa24de5f00d03bccfe53edab7871c3ebbe817ce8810c667bd90053775abc809433e4ce136554cb4a3a061658d8c2561769ba3bf360bca54619dc97
-
memory/1060-3-0x0000000000000000-mapping.dmp
-
memory/1084-5-0x0000000000000000-mapping.dmp
-
memory/1824-0-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmpFilesize
9.9MB
-
memory/1824-1-0x00000000010F0000-0x00000000010F1000-memory.dmpFilesize
4KB