Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-11-2020 11:29
Static task
static1
Behavioral task
behavioral1
Sample
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe
Resource
win10v20201028
General
-
Target
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe
-
Size
1.7MB
-
MD5
1692e19808bfcf5553f903dd6137d51f
-
SHA1
ccb040f6a225dc17f87ce45b47bb5b0efcca0231
-
SHA256
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a
-
SHA512
1dde3ec8f380aa2599f6b403416c7084014175b5a6e5ee3f1f283073a9a719e005264b250c6fac5e8ce86cb8dc5b9d46a98c436530229bd93448427331ffcf7c
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4196-0-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4196-2-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4196-3-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Drops startup file 2 IoCs
Processes:
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABsound.exe cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABsound.exe cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ASound.exe" cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exedescription pid process target process PID 4632 set thread context of 4196 4632 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4196 vbc.exe Token: SeSecurityPrivilege 4196 vbc.exe Token: SeTakeOwnershipPrivilege 4196 vbc.exe Token: SeLoadDriverPrivilege 4196 vbc.exe Token: SeSystemProfilePrivilege 4196 vbc.exe Token: SeSystemtimePrivilege 4196 vbc.exe Token: SeProfSingleProcessPrivilege 4196 vbc.exe Token: SeIncBasePriorityPrivilege 4196 vbc.exe Token: SeCreatePagefilePrivilege 4196 vbc.exe Token: SeBackupPrivilege 4196 vbc.exe Token: SeRestorePrivilege 4196 vbc.exe Token: SeShutdownPrivilege 4196 vbc.exe Token: SeDebugPrivilege 4196 vbc.exe Token: SeSystemEnvironmentPrivilege 4196 vbc.exe Token: SeChangeNotifyPrivilege 4196 vbc.exe Token: SeRemoteShutdownPrivilege 4196 vbc.exe Token: SeUndockPrivilege 4196 vbc.exe Token: SeManageVolumePrivilege 4196 vbc.exe Token: SeImpersonatePrivilege 4196 vbc.exe Token: SeCreateGlobalPrivilege 4196 vbc.exe Token: 33 4196 vbc.exe Token: 34 4196 vbc.exe Token: 35 4196 vbc.exe Token: 36 4196 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 4196 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exedescription pid process target process PID 4632 wrote to memory of 4196 4632 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe PID 4632 wrote to memory of 4196 4632 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe PID 4632 wrote to memory of 4196 4632 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe PID 4632 wrote to memory of 4196 4632 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe PID 4632 wrote to memory of 4196 4632 cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe"C:\Users\Admin\AppData\Local\Temp\cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4196-0-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/4196-1-0x0000000000400000-mapping.dmp
-
memory/4196-2-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/4196-3-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB