Analysis
-
max time kernel
82s -
max time network
83s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 12:09
Static task
static1
Behavioral task
behavioral1
Sample
7ec2e4b4e8d8c339525379ae2dd49f38.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
7ec2e4b4e8d8c339525379ae2dd49f38.exe
Resource
win10v20201028
General
-
Target
7ec2e4b4e8d8c339525379ae2dd49f38.exe
-
Size
3.7MB
-
MD5
d8217ae9b608cbeb9c9da5eb977961a6
-
SHA1
167622f5c4cced3a6bd6e824331e97ffb10389a6
-
SHA256
6f785c3e70d6ff330e829d415da2005982778111775904444e83b2a33b089b9d
-
SHA512
53e4bb0dd9e470ba002d4f03250bbfdd0bfb6fc069b4c7b289a434772b1303831bab1d255770abf49fa9f4e69fb34043760b62f250474082ec94835050dbceb7
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
7ec2e4b4e8d8c339525379ae2dd49f38.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 7ec2e4b4e8d8c339525379ae2dd49f38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count 7ec2e4b4e8d8c339525379ae2dd49f38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 7ec2e4b4e8d8c339525379ae2dd49f38.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7ec2e4b4e8d8c339525379ae2dd49f38.exedescription pid process target process PID 1688 set thread context of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe -
Processes:
7ec2e4b4e8d8c339525379ae2dd49f38.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main 7ec2e4b4e8d8c339525379ae2dd49f38.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7ec2e4b4e8d8c339525379ae2dd49f38.exepid process 980 7ec2e4b4e8d8c339525379ae2dd49f38.exe 980 7ec2e4b4e8d8c339525379ae2dd49f38.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
7ec2e4b4e8d8c339525379ae2dd49f38.exepid process 980 7ec2e4b4e8d8c339525379ae2dd49f38.exe 980 7ec2e4b4e8d8c339525379ae2dd49f38.exe 980 7ec2e4b4e8d8c339525379ae2dd49f38.exe 980 7ec2e4b4e8d8c339525379ae2dd49f38.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7ec2e4b4e8d8c339525379ae2dd49f38.exedescription pid process target process PID 1688 wrote to memory of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe PID 1688 wrote to memory of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe PID 1688 wrote to memory of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe PID 1688 wrote to memory of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe PID 1688 wrote to memory of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe PID 1688 wrote to memory of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe PID 1688 wrote to memory of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe PID 1688 wrote to memory of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe PID 1688 wrote to memory of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe PID 1688 wrote to memory of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe PID 1688 wrote to memory of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe PID 1688 wrote to memory of 980 1688 7ec2e4b4e8d8c339525379ae2dd49f38.exe 7ec2e4b4e8d8c339525379ae2dd49f38.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ec2e4b4e8d8c339525379ae2dd49f38.exe"C:\Users\Admin\AppData\Local\Temp\7ec2e4b4e8d8c339525379ae2dd49f38.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ec2e4b4e8d8c339525379ae2dd49f38.exe"C:\Users\Admin\AppData\Local\Temp\7ec2e4b4e8d8c339525379ae2dd49f38.exe"2⤵
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/980-1-0x0000000000778001-mapping.dmp
-
memory/980-0-0x0000000000400000-0x00000000007AF000-memory.dmpFilesize
3.7MB
-
memory/980-2-0x0000000000400000-0x00000000007AF000-memory.dmpFilesize
3.7MB
-
memory/980-3-0x00000000048C0000-0x00000000048D1000-memory.dmpFilesize
68KB
-
memory/980-4-0x00000000048C0000-0x00000000048D1000-memory.dmpFilesize
68KB
-
memory/980-23-0x00000000048C0000-0x00000000048D1000-memory.dmpFilesize
68KB
-
memory/980-30-0x00000000048C0000-0x00000000048D1000-memory.dmpFilesize
68KB
-
memory/980-31-0x00000000053D0000-0x00000000053E1000-memory.dmpFilesize
68KB
-
memory/980-32-0x00000000053D0000-0x00000000053E1000-memory.dmpFilesize
68KB
-
memory/980-33-0x00000000053D0000-0x00000000053E1000-memory.dmpFilesize
68KB
-
memory/1804-34-0x000007FEF7080000-0x000007FEF72FA000-memory.dmpFilesize
2.5MB