Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-11-2020 18:03
Static task
static1
Behavioral task
behavioral1
Sample
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe
Resource
win10v20201028
General
-
Target
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe
-
Size
1.8MB
-
MD5
14e426e40efb41c9ee647ff8eeb8d3f8
-
SHA1
be7f2bd1b71af40cfb29320c843ef272701f1b67
-
SHA256
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124
-
SHA512
9210b53bea9e2ff975aa8ee3ed2eb79234a9fba68dade923950b0b8ed6ed1a2976f6d9e6b5aec39132be823ff980177949311e1ebab9529e7d5d56512b502884
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp7za.exepid process 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 1992 7za.exe -
Loads dropped DLL 4 IoCs
Processes:
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exed92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmppid process 240 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\is-S2AHR.tmp\idp.dll js -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1996 taskkill.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmppid process 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmppid process 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskkill.exe7za.exedescription pid process Token: SeDebugPrivilege 1996 taskkill.exe Token: SeRestorePrivilege 1992 7za.exe Token: 35 1992 7za.exe Token: SeSecurityPrivilege 1992 7za.exe Token: SeSecurityPrivilege 1992 7za.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmppid process 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exed92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmpdescription pid process target process PID 240 wrote to memory of 1916 240 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp PID 240 wrote to memory of 1916 240 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp PID 240 wrote to memory of 1916 240 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp PID 240 wrote to memory of 1916 240 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp PID 240 wrote to memory of 1916 240 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp PID 240 wrote to memory of 1916 240 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp PID 240 wrote to memory of 1916 240 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp PID 1916 wrote to memory of 1996 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp taskkill.exe PID 1916 wrote to memory of 1996 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp taskkill.exe PID 1916 wrote to memory of 1996 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp taskkill.exe PID 1916 wrote to memory of 1996 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp taskkill.exe PID 1916 wrote to memory of 560 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp cscript.exe PID 1916 wrote to memory of 560 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp cscript.exe PID 1916 wrote to memory of 560 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp cscript.exe PID 1916 wrote to memory of 560 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp cscript.exe PID 1916 wrote to memory of 1528 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp schtasks.exe PID 1916 wrote to memory of 1528 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp schtasks.exe PID 1916 wrote to memory of 1528 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp schtasks.exe PID 1916 wrote to memory of 1528 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp schtasks.exe PID 1916 wrote to memory of 1992 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 7za.exe PID 1916 wrote to memory of 1992 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 7za.exe PID 1916 wrote to memory of 1992 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 7za.exe PID 1916 wrote to memory of 1992 1916 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 7za.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe"C:\Users\Admin\AppData\Local\Temp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-OJ9BL.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp"C:\Users\Admin\AppData\Local\Temp\is-OJ9BL.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp" /SL5="$20156,1194311,780288,C:\Users\Admin\AppData\Local\Temp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /im Vkotnakate_DJ.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cscript.exe"cscript.exe" C:\Users\Admin\AppData\Local\Temp\is-S2AHR.tmp\info.js3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN VKDJ /SC ONLOGON /TR "C:\ProgramData\VkontakateDJ\Vkotnakate_DJ.exe /H" /F /DELAY 0001:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\is-S2AHR.tmp\7za.exe"C:\Users\Admin\AppData\Local\Temp\is-S2AHR.tmp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\is-S2AHR.tmp\5.10.zip" -pvkd -y -oC:\ProgramData\VkontakateDJ3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-OJ9BL.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmpMD5
ac2adb4621cccacbafc3f06e2b29016c
SHA1f9273150e00ae8513cbf741a67e4828e7c60f035
SHA2561fdc97cf3fb4e31d15ea487ca3974b18cda979418f57c7b827f3c7275184ef3e
SHA512f754b04e318786496444539023cdd143dc0990d27561a7afd2041830ba46cadec42cd159ec516ed1f478894f53f40dbda87954b2ee06ea2ddc2276419396c800
-
C:\Users\Admin\AppData\Local\Temp\is-OJ9BL.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmpMD5
ac2adb4621cccacbafc3f06e2b29016c
SHA1f9273150e00ae8513cbf741a67e4828e7c60f035
SHA2561fdc97cf3fb4e31d15ea487ca3974b18cda979418f57c7b827f3c7275184ef3e
SHA512f754b04e318786496444539023cdd143dc0990d27561a7afd2041830ba46cadec42cd159ec516ed1f478894f53f40dbda87954b2ee06ea2ddc2276419396c800
-
C:\Users\Admin\AppData\Local\Temp\is-S2AHR.tmp\5.10.zipMD5
88461ea87a1eb08ea2728b980c410b21
SHA134a7775822195afdbb5ae79e220d0b6a84508318
SHA25628e04228aef6e577cb5f545579fa8d509cb3fdd6ab2f9ec308e4f2f2e49434e5
SHA512f06e4cb9f05eeb1c8add6b715fb5c105ab4166625c1ac6747477e2874b7d554de82afc574b2bf3a4202d621f8fb9888607a2dd7e05c3eaf39f67a168cfc2a6fd
-
C:\Users\Admin\AppData\Local\Temp\is-S2AHR.tmp\7za.exeMD5
43141e85e7c36e31b52b22ab94d5e574
SHA1cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA5129119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc
-
C:\Users\Admin\AppData\Local\Temp\is-S2AHR.tmp\info.jsMD5
ead0bf6ff4e3446ac39427cb3dffdc6e
SHA1037444fdb1c81c804034959980738a049bbbbcf7
SHA256d96634e77d01f0790758c72a76fd17ae1dcbafd719121fd0942826de2a5d1186
SHA51231dc3c2c38358f6e049a77c49b98f675562f172219df3cf62a6815af30af5f6a8188d3d49a328ce2af09e3c8438ccdc1bae0dd25e838494b7a09830e6eff337c
-
\ProgramData\VkontakateDJ\unins000.exeMD5
5d79c7c6b30d13c2cf286ea94276448f
SHA1fa6db73afb07a3faaffc6956946b51624cb189f8
SHA25613dcc851f23d21bdeb23c48663cf088b86480e0e3da484ec226390b3ac3dcc2a
SHA5120273d7682c6b275082851a8db3c36f8d409af05f5c8384ec1fc2256b983c39f5e382d3a4f0e1a956939fd0a1e2243a6b361c8634cf4063549f4488070e852edf
-
\Users\Admin\AppData\Local\Temp\is-OJ9BL.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmpMD5
ac2adb4621cccacbafc3f06e2b29016c
SHA1f9273150e00ae8513cbf741a67e4828e7c60f035
SHA2561fdc97cf3fb4e31d15ea487ca3974b18cda979418f57c7b827f3c7275184ef3e
SHA512f754b04e318786496444539023cdd143dc0990d27561a7afd2041830ba46cadec42cd159ec516ed1f478894f53f40dbda87954b2ee06ea2ddc2276419396c800
-
\Users\Admin\AppData\Local\Temp\is-S2AHR.tmp\7za.exeMD5
43141e85e7c36e31b52b22ab94d5e574
SHA1cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA5129119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc
-
\Users\Admin\AppData\Local\Temp\is-S2AHR.tmp\idp.dllMD5
55c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
memory/560-8-0x0000000000000000-mapping.dmp
-
memory/560-10-0x00000000023E0000-0x00000000023E4000-memory.dmpFilesize
16KB
-
memory/1528-11-0x0000000000000000-mapping.dmp
-
memory/1628-5-0x000007FEF6400000-0x000007FEF667A000-memory.dmpFilesize
2.5MB
-
memory/1916-1-0x0000000000000000-mapping.dmp
-
memory/1992-13-0x0000000000000000-mapping.dmp
-
memory/1996-4-0x0000000000000000-mapping.dmp