Overview

overview

10

Static

static

a96253a4b8...3d.exe

windows7_x64

1

a96253a4b8...3d.exe

windows10_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-12-2020 19:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a96253a4b8d3dc0d9cece5aa9145813d.exe

  • Size

    926KB

  • MD5

    a96253a4b8d3dc0d9cece5aa9145813d

  • SHA1

    1d318d45b369768974b793415243b2f120ac21da

  • SHA256

    9603997de7895ccfbd7b9493e7c64a9a089adc98a4929308ff74f18e88f9eac7

  • SHA512

    92b6695b9e0078433f7f02e4a7542d1082280c92fbe5580815faf79ff3e0671ed4aea4489a354a382025363d91911665080a8f87286dd2332ce3cb3e5a409921

Score
1/10

Malware Config

Signatures

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe
    "C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:476
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TNKpefNs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1688
    • C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe
      "C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe"
      2⤵
        PID:908
      • C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe
        "C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe"
        2⤵
          PID:1668
        • C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe
          "C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe"
          2⤵
            PID:392
          • C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe
            "C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe"
            2⤵
              PID:520
            • C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe
              "C:\Users\Admin\AppData\Local\Temp\a96253a4b8d3dc0d9cece5aa9145813d.exe"
              2⤵
                PID:1060

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp
              MD5

              5206fdbeb7e8fd3cc9e0d1202a062e38

              SHA1

              96d282f00989b16c93a2e454dd8099e6e88beef8

              SHA256

              5b70e4e3b58306beac297abc2987b48f35b776a595e3c45d0f5130a1b76fb4ab

              SHA512

              7a406dc64d8afd0e4e59ecb9bb493119e626f44fbee1bf8c9e6ab9a80d7e23224147cfe568c6dbec24778023e25936e41ffe63622e0b97b39bae52b0e81dd6c7

              Download Submit
            • memory/476-2-0x0000000073F20000-0x000000007460E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/476-3-0x00000000003D0000-0x00000000003D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/476-5-0x0000000025840000-0x0000000045828000-memory.dmp
              Filesize

              511.9MB

              Download
            • memory/476-6-0x00000000020A0000-0x00000000020EF000-memory.dmp
              Filesize

              316KB

              Download
            • memory/476-7-0x00000000006E0000-0x00000000006E8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/476-9-0x0000000002130000-0x0000000002161000-memory.dmp
              Filesize

              196KB

              Download
            • memory/1688-10-0x0000000000000000-mapping.dmp
              Download