Analysis
-
max time kernel
15s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-11-2020 14:07
Static task
static1
Behavioral task
behavioral1
Sample
Package_details.exe
Resource
win7v20201028
General
-
Target
Package_details.exe
-
Size
496KB
-
MD5
ce3c5367fb067a45f5fa10c35ca23a28
-
SHA1
9d0f4d746747a6fd13a48b1a867eb8d103d9daec
-
SHA256
e4fc20492ed4f4750766382f6578d84f38bf680646eb6b5193c5733925941f67
-
SHA512
ae46e93dd82128efd0c1f8dab094b7a51716a6bcde6053a66efdd8724115e7b6d4a0fab1caf0775482f358488edefe81becdd01a2a820fba9b338c30cb2d8a07
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Package_details.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" Package_details.exe -
Processes:
Package_details.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Package_details.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Package_details.exedescription pid process target process PID 1588 set thread context of 2028 1588 Package_details.exe Package_details.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Package_details.exedescription ioc process File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe Package_details.exe File created C:\Program Files (x86)\WPA Host\wpahost.exe Package_details.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1368 schtasks.exe 888 schtasks.exe 1540 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Package_details.exepid process 2028 Package_details.exe 2028 Package_details.exe 2028 Package_details.exe 2028 Package_details.exe 2028 Package_details.exe 2028 Package_details.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Package_details.exepid process 2028 Package_details.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Package_details.exepid process 1588 Package_details.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Package_details.exedescription pid process Token: SeDebugPrivilege 2028 Package_details.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Package_details.execmd.exePackage_details.exedescription pid process target process PID 1588 wrote to memory of 1232 1588 Package_details.exe cmd.exe PID 1588 wrote to memory of 1232 1588 Package_details.exe cmd.exe PID 1588 wrote to memory of 1232 1588 Package_details.exe cmd.exe PID 1588 wrote to memory of 1232 1588 Package_details.exe cmd.exe PID 1588 wrote to memory of 2028 1588 Package_details.exe Package_details.exe PID 1588 wrote to memory of 2028 1588 Package_details.exe Package_details.exe PID 1588 wrote to memory of 2028 1588 Package_details.exe Package_details.exe PID 1588 wrote to memory of 2028 1588 Package_details.exe Package_details.exe PID 1588 wrote to memory of 2028 1588 Package_details.exe Package_details.exe PID 1232 wrote to memory of 1368 1232 cmd.exe schtasks.exe PID 1232 wrote to memory of 1368 1232 cmd.exe schtasks.exe PID 1232 wrote to memory of 1368 1232 cmd.exe schtasks.exe PID 1232 wrote to memory of 1368 1232 cmd.exe schtasks.exe PID 2028 wrote to memory of 888 2028 Package_details.exe schtasks.exe PID 2028 wrote to memory of 888 2028 Package_details.exe schtasks.exe PID 2028 wrote to memory of 888 2028 Package_details.exe schtasks.exe PID 2028 wrote to memory of 888 2028 Package_details.exe schtasks.exe PID 2028 wrote to memory of 1540 2028 Package_details.exe schtasks.exe PID 2028 wrote to memory of 1540 2028 Package_details.exe schtasks.exe PID 2028 wrote to memory of 1540 2028 Package_details.exe schtasks.exe PID 2028 wrote to memory of 1540 2028 Package_details.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Package_details.exe"C:\Users\Admin\AppData\Local\Temp\Package_details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN fonts /XML "C:\Users\Admin\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN fonts /XML "C:\Users\Admin\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Package_details.exe"C:\Users\Admin\AppData\Local\Temp\Package_details.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1CB4.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1D80.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xmlMD5
99b73aab34f8bd54f47c146b01e5fd5d
SHA1be2703b6167529785c29b7cc00f27daad7a9c992
SHA256ee265bd616e49ceef232af05a414539116e742f28bf73125d266bb9ec6b03e14
SHA5125b3bf9371f9a78152cffe4ccd18d713b64fb7ac04ede5fbfa9267a39507ed62d09b4776ac901f42b95c57572855574eaab93f352bc77bae78f3319a3408bfe44
-
C:\Users\Admin\AppData\Local\Temp\tmp1CB4.tmpMD5
4064530f2d7e47af75d251d052abad47
SHA1991874bdda0bdf847e31ba3040776fd95969a506
SHA256876a0ea3fb8e063b11642f06ada2a6ebb27fc3106cc9c7a514dffbe97fee5612
SHA512f64269bada83ada3330484cb8a12c44eed027a1c1a300c268a9032c4a85795f21404ad7ad479f8d0f72280eb713852d7e50f65dee84b038ebf02cdb9f40e2005
-
C:\Users\Admin\AppData\Local\Temp\tmp1D80.tmpMD5
819bdbdac3be050783d203020e6c4c30
SHA1a373521fceb21cac8b93e55ee48578e40a6e740b
SHA2560e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053
SHA512cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd
-
memory/888-7-0x0000000000000000-mapping.dmp
-
memory/1232-0-0x0000000000000000-mapping.dmp
-
memory/1368-3-0x0000000000000000-mapping.dmp
-
memory/1540-9-0x0000000000000000-mapping.dmp
-
memory/1588-5-0x00000000009B0000-0x00000000009EF000-memory.dmpFilesize
252KB
-
memory/2028-1-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/2028-2-0x000000000040188B-mapping.dmp
-
memory/2028-4-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB