Analysis
-
max time kernel
188s -
max time network
190s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-11-2020 16:12
Errors
Reason
Machine shutdown
General
-
Target
e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
-
Size
532KB
-
MD5
76f547c793b5478b970c64caf04d01d4
-
SHA1
f9eb40f6d3d4c83852e3781886db762bef8564e0
-
SHA256
e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037
-
SHA512
91e91a8b693cb253f281411260611a221a113b342eaa642a9d6597aaf86c138ee2aa28ade10218a814ae34016e6d70824e36786497476ab704defddf60e33e17
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Modifies Control Panel 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 14 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 198 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 175 IoCs
-
Suspicious use of SendNotifyMessage 175 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe"C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ConnectCompare.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ResolveUnpublish.png" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\rundll32.exerundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh1⤵
- Modifies registry class
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca1⤵
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2020 -s 39642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\HelpPane.exe"C:\Windows\HelpPane.exe"1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a8a055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4156-2-0x00007FF85E9A0000-0x00007FF85EFD7000-memory.dmpFilesize
6.2MB
-
memory/4704-4-0x000001605D0A0000-0x000001605D0A1000-memory.dmpFilesize
4KB
-
memory/4704-3-0x000001605D0A0000-0x000001605D0A1000-memory.dmpFilesize
4KB
-
memory/4704-6-0x000001605D0A0000-0x000001605D0A1000-memory.dmpFilesize
4KB
-
memory/4704-8-0x000001605D3E0000-0x000001605D3E1000-memory.dmpFilesize
4KB
-
memory/4704-10-0x000001605D7E0000-0x000001605D7E1000-memory.dmpFilesize
4KB
-
memory/4704-12-0x000001605D7E0000-0x000001605D7E1000-memory.dmpFilesize
4KB
-
memory/4704-14-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-16-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-18-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-20-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-22-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-26-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-28-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-30-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-32-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-34-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-36-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-38-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-40-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-42-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-44-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-46-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-47-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-49-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-51-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-52-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-54-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-56-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-58-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-60-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-62-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-64-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-66-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-68-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-70-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-72-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-74-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-76-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-78-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-79-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-81-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-83-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-85-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-87-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-89-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-91-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-93-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-95-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-97-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-99-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-101-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-103-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-105-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-107-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-109-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-111-0x000001605E820000-0x000001605E821000-memory.dmpFilesize
4KB
-
memory/4704-113-0x000001605E780000-0x000001605E781000-memory.dmpFilesize
4KB