Resubmissions
29-11-2020 11:01
201129-d4be3v1hha 1029-11-2020 09:57
201129-jrbzljg4bn 1022-11-2020 09:12
201122-mn1g1mmfh2 1020-11-2020 12:13
201120-mhdv9tfvhs 10Analysis
-
max time kernel
224s -
max time network
223s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-11-2020 09:57
Behavioral task
behavioral1
Sample
812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe
-
Size
226KB
-
MD5
2c6261543b4afdc73780193769c4b971
-
SHA1
ce578cfd43137888d4be4c2d3d39e9a0d70cc22d
-
SHA256
812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09
-
SHA512
5619c2418d292bc490225b9661975939a767f5c464a30f6c85746b13e06fef56ba15eb730645a571885e6423bcaea337c3b0f0ebfd45edd9643b2fb4c47eda8d
Score
6/10
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 api.ipify.org 23 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 648 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exedescription pid process target process PID 1068 wrote to memory of 648 1068 812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe wermgr.exe PID 1068 wrote to memory of 648 1068 812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe wermgr.exe PID 1068 wrote to memory of 648 1068 812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe wermgr.exe PID 1068 wrote to memory of 648 1068 812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe wermgr.exe PID 1068 wrote to memory of 648 1068 812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe wermgr.exe PID 1068 wrote to memory of 648 1068 812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe"C:\Users\Admin\AppData\Local\Temp\812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/648-2-0x0000000000000000-mapping.dmp