2ba2c20a826f51ed753f4f4dd78118d6f371a2fd5b4b0a2ff640c8f046d4fb55 | Triage

Analysis

max time kernel
3s
max time network
12s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 20:37

Sharing

Report Analysis Logs

General

Target

1.exe
Size

2.7MB
MD5

5a4135a79283d211cf21820a67e01a4f
SHA1

fd1a1709b4346a4ca307d01cb85b5d6beb633733
SHA256

2ba2c20a826f51ed753f4f4dd78118d6f371a2fd5b4b0a2ff640c8f046d4fb55
SHA512

c6aa36b7326a461179dc0c8c14dc3552ccbf22d72490ee1d7ca90b3c9177538eff8e16258a2e42ab59b4c5999c25e420981dfc9e2fb6d4a1cc509c2c9534813b

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1916 taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1.execmd.exe

description	pid	process	target process
PID 1700 wrote to memory of 1904	1700	1.exe	cmd.exe
PID 1700 wrote to memory of 1904	1700	1.exe	cmd.exe
PID 1700 wrote to memory of 1904	1700	1.exe	cmd.exe
PID 1904 wrote to memory of 1916	1904	cmd.exe	taskkill.exe
PID 1904 wrote to memory of 1916	1904	cmd.exe	taskkill.exe
PID 1904 wrote to memory of 1916	1904	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlservr.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlservr.exe /T
    3⤵
    - Kills process with taskkill
    PID:1916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1700-0-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/1700-1-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/1700-2-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/1904-3-0x0000000000000000-mapping.dmp

Download
memory/1916-4-0x0000000000000000-mapping.dmp

Download