Overview

overview

8

Static

static

8

5509fe49ec...6e.exe

windows7_x64

8

5509fe49ec...6e.exe

windows10_x64

8

Analysis

  • max time kernel
    11s
  • max time network
    102s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-11-2020 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5509fe49ec28dc7abb5aae78a88b606e.exe

  • Size

    2.6MB

  • MD5

    1b2484bfb1a25d55d201207a15cf266b

  • SHA1

    70119d1800e6d39cbe0e5160f8acc2bdb2e46c7d

  • SHA256

    3f531ce5eae08958610dbac073a881654f1efad802ca3d5a325a75355e460da0

  • SHA512

    49db1d4577617e61c1a583fb82858d47f1d36ff348bf2229a848c8fcf7b3ee6d0c151e723a4527b2b822e943d3a235e428324bf60c61fcde69900da850596a26

Score
8/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5509fe49ec28dc7abb5aae78a88b606e.exe
    "C:\Users\Admin\AppData\Local\Temp\5509fe49ec28dc7abb5aae78a88b606e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\uiomucymnd.exe" /VERYSILENT
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3076
      • C:\Users\Admin\AppData\Local\Temp\uiomucymnd.exe
        "C:\Users\Admin\AppData\Local\Temp\uiomucymnd.exe" /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3668
        • C:\Users\Admin\AppData\Local\Temp\is-9NFUF.tmp\uiomucymnd.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-9NFUF.tmp\uiomucymnd.tmp" /SL5="$40112,90766,54272,C:\Users\Admin\AppData\Local\Temp\uiomucymnd.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-9NFUF.tmp\uiomucymnd.tmp
    MD5

    f8b110dc2063d3b29502aa7042d26122

    SHA1

    1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

    SHA256

    e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

    SHA512

    f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-9NFUF.tmp\uiomucymnd.tmp
    MD5

    f8b110dc2063d3b29502aa7042d26122

    SHA1

    1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

    SHA256

    e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

    SHA512

    f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uiomucymnd.exe
    MD5

    8f49472ed2ec6b48b3e17200e35a6cc2

    SHA1

    2cd6519d99614e7f6450d4e24fc9b5796dd78233

    SHA256

    7b9c5ed5f1c101fd42c207025ce61311bb8c6c49037a574a66352c3c21f7ba0d

    SHA512

    3fdda6ca38b83edc7bc77f3d6f63ae953b33ee38b870a5dbab72da2867767211352cb5d15076c073b9b8546b3844b3b180876537f78f2385d0160b3091bb57f9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uiomucymnd.exe
    MD5

    8f49472ed2ec6b48b3e17200e35a6cc2

    SHA1

    2cd6519d99614e7f6450d4e24fc9b5796dd78233

    SHA256

    7b9c5ed5f1c101fd42c207025ce61311bb8c6c49037a574a66352c3c21f7ba0d

    SHA512

    3fdda6ca38b83edc7bc77f3d6f63ae953b33ee38b870a5dbab72da2867767211352cb5d15076c073b9b8546b3844b3b180876537f78f2385d0160b3091bb57f9

    Download Submit
  • memory/1020-0-0x0000000010000000-0x0000000010274000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/2160-6-0x0000000000000000-mapping.dmp
    Download
  • memory/3076-1-0x0000000000000000-mapping.dmp
    Download
  • memory/3668-2-0x0000000000000000-mapping.dmp
    Download
  • memory/3668-3-0x0000000000000000-mapping.dmp
    Download