Analysis
-
max time kernel
154s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-11-2020 14:31
Static task
static1
Behavioral task
behavioral1
Sample
8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe
Resource
win10v20201028
General
-
Target
8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe
-
Size
1.7MB
-
MD5
3adb0bd3fc62ac103e0d89c42088d4a7
-
SHA1
7b792238778c5174efa375286dc1b30b7e8e05be
-
SHA256
8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0
-
SHA512
7d695d23b0b840deffc0a0a406b8eae9f5ff9cfddbfc4300ded622495a92010c865b62080fcb9c7579c6d00bac0f5fe2b0063160ab256c83abf7f230f279d9b6
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1292-0-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/1292-2-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/1292-3-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Drops startup file 2 IoCs
Processes:
8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABsound.exe 8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABsound.exe 8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ASound.exe" 8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exedescription pid process target process PID 308 set thread context of 1292 308 8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1292 vbc.exe Token: SeSecurityPrivilege 1292 vbc.exe Token: SeTakeOwnershipPrivilege 1292 vbc.exe Token: SeLoadDriverPrivilege 1292 vbc.exe Token: SeSystemProfilePrivilege 1292 vbc.exe Token: SeSystemtimePrivilege 1292 vbc.exe Token: SeProfSingleProcessPrivilege 1292 vbc.exe Token: SeIncBasePriorityPrivilege 1292 vbc.exe Token: SeCreatePagefilePrivilege 1292 vbc.exe Token: SeBackupPrivilege 1292 vbc.exe Token: SeRestorePrivilege 1292 vbc.exe Token: SeShutdownPrivilege 1292 vbc.exe Token: SeDebugPrivilege 1292 vbc.exe Token: SeSystemEnvironmentPrivilege 1292 vbc.exe Token: SeChangeNotifyPrivilege 1292 vbc.exe Token: SeRemoteShutdownPrivilege 1292 vbc.exe Token: SeUndockPrivilege 1292 vbc.exe Token: SeManageVolumePrivilege 1292 vbc.exe Token: SeImpersonatePrivilege 1292 vbc.exe Token: SeCreateGlobalPrivilege 1292 vbc.exe Token: 33 1292 vbc.exe Token: 34 1292 vbc.exe Token: 35 1292 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1292 vbc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exedescription pid process target process PID 308 wrote to memory of 1292 308 8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe vbc.exe PID 308 wrote to memory of 1292 308 8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe vbc.exe PID 308 wrote to memory of 1292 308 8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe vbc.exe PID 308 wrote to memory of 1292 308 8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe vbc.exe PID 308 wrote to memory of 1292 308 8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe vbc.exe PID 308 wrote to memory of 1292 308 8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe"C:\Users\Admin\AppData\Local\Temp\8270e148478ac6886769640495e3e8dd0a5612b40f4da6cd1e662998d91cddf0.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1292-0-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1292-1-0x0000000000400000-mapping.dmp
-
memory/1292-2-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1292-3-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB