Analysis
-
max time kernel
67s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-11-2020 11:29
Static task
static1
Behavioral task
behavioral1
Sample
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe
Resource
win10v20201028
General
-
Target
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe
-
Size
1.7MB
-
MD5
1692e19808bfcf5553f903dd6137d51f
-
SHA1
ccb040f6a225dc17f87ce45b47bb5b0efcca0231
-
SHA256
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a
-
SHA512
1dde3ec8f380aa2599f6b403416c7084014175b5a6e5ee3f1f283073a9a719e005264b250c6fac5e8ce86cb8dc5b9d46a98c436530229bd93448427331ffcf7c
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1768-0-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/1768-2-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/1768-3-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Drops startup file 2 IoCs
Processes:
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABsound.exe cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABsound.exe cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ASound.exe" cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exedescription pid process target process PID 1960 set thread context of 1768 1960 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1768 vbc.exe Token: SeSecurityPrivilege 1768 vbc.exe Token: SeTakeOwnershipPrivilege 1768 vbc.exe Token: SeLoadDriverPrivilege 1768 vbc.exe Token: SeSystemProfilePrivilege 1768 vbc.exe Token: SeSystemtimePrivilege 1768 vbc.exe Token: SeProfSingleProcessPrivilege 1768 vbc.exe Token: SeIncBasePriorityPrivilege 1768 vbc.exe Token: SeCreatePagefilePrivilege 1768 vbc.exe Token: SeBackupPrivilege 1768 vbc.exe Token: SeRestorePrivilege 1768 vbc.exe Token: SeShutdownPrivilege 1768 vbc.exe Token: SeDebugPrivilege 1768 vbc.exe Token: SeSystemEnvironmentPrivilege 1768 vbc.exe Token: SeChangeNotifyPrivilege 1768 vbc.exe Token: SeRemoteShutdownPrivilege 1768 vbc.exe Token: SeUndockPrivilege 1768 vbc.exe Token: SeManageVolumePrivilege 1768 vbc.exe Token: SeImpersonatePrivilege 1768 vbc.exe Token: SeCreateGlobalPrivilege 1768 vbc.exe Token: 33 1768 vbc.exe Token: 34 1768 vbc.exe Token: 35 1768 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1768 vbc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exedescription pid process target process PID 1960 wrote to memory of 1768 1960 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe PID 1960 wrote to memory of 1768 1960 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe PID 1960 wrote to memory of 1768 1960 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe PID 1960 wrote to memory of 1768 1960 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe PID 1960 wrote to memory of 1768 1960 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe PID 1960 wrote to memory of 1768 1960 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe"C:\Users\Admin\AppData\Local\Temp\cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1768-0-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1768-1-0x0000000000400000-mapping.dmp
-
memory/1768-2-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1768-3-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB