Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 11:46
Static task
static1
Behavioral task
behavioral1
Sample
90c41bb16437534b1cdaaa3a0172ab47.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
90c41bb16437534b1cdaaa3a0172ab47.exe
Resource
win10v20201028
General
-
Target
90c41bb16437534b1cdaaa3a0172ab47.exe
-
Size
818KB
-
MD5
a375ad4447db35a52d1aec0d3f2eb8fc
-
SHA1
0414ced53ad4c0eec4a0b636df80bc4d82556578
-
SHA256
99f412fce3ba59f5da3ea9cf4c6a19080e8065dc97104bece69b554a0241f629
-
SHA512
3459fcc55cddc00732abbcc4a4207ebec6e261bc78b7132ff74c004b8ab834608fe377f39940420f8fc3b36256e873eaf4d7578f2fa905bee260a141d6a59dc4
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1232 cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
expand.exedescription ioc process File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
90c41bb16437534b1cdaaa3a0172ab47.exepid process 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe 684 90c41bb16437534b1cdaaa3a0172ab47.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
90c41bb16437534b1cdaaa3a0172ab47.exedescription pid process Token: SeBackupPrivilege 684 90c41bb16437534b1cdaaa3a0172ab47.exe Token: SeRestorePrivilege 684 90c41bb16437534b1cdaaa3a0172ab47.exe Token: SeBackupPrivilege 684 90c41bb16437534b1cdaaa3a0172ab47.exe Token: SeBackupPrivilege 684 90c41bb16437534b1cdaaa3a0172ab47.exe Token: SeRestorePrivilege 684 90c41bb16437534b1cdaaa3a0172ab47.exe Token: SeBackupPrivilege 684 90c41bb16437534b1cdaaa3a0172ab47.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
90c41bb16437534b1cdaaa3a0172ab47.exepid process 684 90c41bb16437534b1cdaaa3a0172ab47.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
90c41bb16437534b1cdaaa3a0172ab47.execmd.exenet.exedescription pid process target process PID 684 wrote to memory of 1096 684 90c41bb16437534b1cdaaa3a0172ab47.exe expand.exe PID 684 wrote to memory of 1096 684 90c41bb16437534b1cdaaa3a0172ab47.exe expand.exe PID 684 wrote to memory of 1096 684 90c41bb16437534b1cdaaa3a0172ab47.exe expand.exe PID 684 wrote to memory of 1096 684 90c41bb16437534b1cdaaa3a0172ab47.exe expand.exe PID 684 wrote to memory of 1060 684 90c41bb16437534b1cdaaa3a0172ab47.exe net.exe PID 684 wrote to memory of 1060 684 90c41bb16437534b1cdaaa3a0172ab47.exe net.exe PID 684 wrote to memory of 1060 684 90c41bb16437534b1cdaaa3a0172ab47.exe net.exe PID 684 wrote to memory of 1060 684 90c41bb16437534b1cdaaa3a0172ab47.exe net.exe PID 684 wrote to memory of 1232 684 90c41bb16437534b1cdaaa3a0172ab47.exe cmd.exe PID 684 wrote to memory of 1232 684 90c41bb16437534b1cdaaa3a0172ab47.exe cmd.exe PID 684 wrote to memory of 1232 684 90c41bb16437534b1cdaaa3a0172ab47.exe cmd.exe PID 684 wrote to memory of 1232 684 90c41bb16437534b1cdaaa3a0172ab47.exe cmd.exe PID 1232 wrote to memory of 1604 1232 cmd.exe chcp.com PID 1232 wrote to memory of 1604 1232 cmd.exe chcp.com PID 1232 wrote to memory of 1604 1232 cmd.exe chcp.com PID 1232 wrote to memory of 1604 1232 cmd.exe chcp.com PID 1060 wrote to memory of 664 1060 net.exe net1.exe PID 1060 wrote to memory of 664 1060 net.exe net1.exe PID 1060 wrote to memory of 664 1060 net.exe net1.exe PID 1060 wrote to memory of 664 1060 net.exe net1.exe PID 1232 wrote to memory of 524 1232 cmd.exe PING.EXE PID 1232 wrote to memory of 524 1232 cmd.exe PING.EXE PID 1232 wrote to memory of 524 1232 cmd.exe PING.EXE PID 1232 wrote to memory of 524 1232 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\90c41bb16437534b1cdaaa3a0172ab47.exe"C:\Users\Admin\AppData\Local\Temp\90c41bb16437534b1cdaaa3a0172ab47.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\expand.exeexpand "C:\Users\Admin\AppData\Local\Temp\iot6DB3.tmp" "C:\ProgramData\Microsoft\PlayReady\MDID87B.tmp\tmx.dat"2⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\net.exenet start AppMgmt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start AppMgmt3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\lgt6EEC.tmp.cmd2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12523⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\PlayReady\MDID87B.tmp\tmx.datMD5
91f5000430a5803fcb4149acc0d42167
SHA1a67239b0cc73ba95551224d09b9d65d23e64388e
SHA2560c7b58aed8b2737c945f41e9c80503acfd6182923ed816e65f624498cf8f8026
SHA5128792ddee85b083107abe5a5fdd0fba26978ca476817ee65f0ca1d1a501c47c2bef870744fd4c3b344849163bca3481d045341d76254a1d698be0e03b8647d97f
-
C:\Users\Admin\AppData\Local\Temp\lgt6EEC.tmp.cmdMD5
b6cbab0fc9e085d2c9b3927256e0ea79
SHA1befb821fe44dfef754c95de2fdcb3632c3f7ce9d
SHA2562237916da299cbac56c1ff45d151de9929abafcb6cc2ab90421c91cba8ed3202
SHA512b636ab63bd18eb7182fc6e42d4f2ec721a5a627fb1ebae11eb9b1765c26bdf3546082311435186d35ebebf5c3bb924a5018f77b5194d8e83d6e87947a52b7878
-
\??\c:\users\admin\appdata\local\temp\iot6db3.tmpMD5
7ec37ef13e58efbb900054f8e3ab12b3
SHA1b6113ab919d0e32018c32e3ade951871a7c6e236
SHA256e1a5daf884950646f6c5f14d0f49034f33b316b8492af8e7cc2687f914bc0a83
SHA512e60ea06a8bd6dfcba3df52d0fb3558fc8206d5e7492bc4cde02024b5ad08ddbe9247cf07590f21c4ce88b6f4adcd7f50c0f2bc5a09ce38025d2dbaf101280bd5
-
memory/524-8-0x0000000000000000-mapping.dmp
-
memory/664-7-0x0000000000000000-mapping.dmp
-
memory/1060-3-0x0000000000000000-mapping.dmp
-
memory/1096-0-0x0000000000000000-mapping.dmp
-
memory/1232-4-0x0000000000000000-mapping.dmp
-
memory/1604-6-0x0000000000000000-mapping.dmp