Overview

overview

10

Static

static

301a3f5017...le.exe

windows7_x64

10

301a3f5017...le.exe

windows10_x64

10

Resubmissions

23-03-2024 23:50

240323-3vttmsed88 10

12-12-2020 10:26

201212-wddwj75xse 10

Analysis

  • max time kernel
    66s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-12-2020 10:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe

  • Size

    413KB

  • MD5

    3023d7526b479ea3df315a5b1779a43d

  • SHA1

    b5ae71b96a28b9353a4f33c5370ac18750937c17

  • SHA256

    301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f

  • SHA512

    67fe1cf7538e8ef76b6acbba99326af0de58464bf5710ae6fa7b85d73da9a84c58122de6b87c7d9560f0d366de711a95d03be231c1018eacb7489fd32aeb0834

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • ServiceHost packer 8 IoCs

    Detects ServiceHost packer used for .NET malware

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:492
    • C:\Windows\syswow64\svchost.exe
      C:\Windows\syswow64\svchost.exe
      2⤵
        PID:1996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 208
          3⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4040
      • C:\Windows\syswow64\svchost.exe
        C:\Windows\syswow64\svchost.exe
        2⤵
          PID:208
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 204
            3⤵
            • Suspicious use of NtCreateProcessExOtherParentProcess
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKeNIVpFABUmG.bat" 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:636
          • C:\Windows\SysWOW64\attrib.exe
            attrib -r -s -h 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.sample.exe
            3⤵
            • Views/modifies file attributes
            PID:1012

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Registry Run Keys / Startup Folder

      1
      T1060

      Hidden Files and Directories

      1
      T1158

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Hidden Files and Directories

      1
      T1158

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\xKeNIVpFABUmG.bat
        MD5

        f488b5df4ab36b2fa1c78c041f5a433c

        SHA1

        fe8b77ce17a48de7d7e6f7bfe7b8411701ebb12f

        SHA256

        ce0e7dceca9e877c8ad232acef340c246f6f553e841dbcff18a9b458cd0fae1c

        SHA512

        3df780bf8f3c2b547606f2dfc5552ab5140fdb089681f5945d2aec23d3eeb13d1546ea100881d6c830110c79c60f113788b1fbc7fd674a3578f9e2f76ea54ea7

        Download Submit
      • memory/208-17-0x0000000000000000-mapping.dmp
        Download
      • memory/208-16-0x0000000000000000-mapping.dmp
        Download
      • memory/208-11-0x0000000000000000-mapping.dmp
        Download
      • memory/208-14-0x0000000000080000-0x000000000008C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/208-19-0x0000000000000000-mapping.dmp
        Download
      • memory/208-18-0x0000000000000000-mapping.dmp
        Download
      • memory/208-13-0x0000000000080000-0x000000000008C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/492-2-0x0000000000DB0000-0x0000000000DF0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/636-21-0x0000000000000000-mapping.dmp
        Download
      • memory/1012-23-0x0000000000000000-mapping.dmp
        Download
      • memory/1996-9-0x0000000000000000-mapping.dmp
        Download
      • memory/1996-8-0x0000000000000000-mapping.dmp
        Download
      • memory/1996-5-0x0000000000080000-0x000000000008C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1996-10-0x0000000000000000-mapping.dmp
        Download
      • memory/1996-4-0x0000000000080000-0x000000000008C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1996-7-0x0000000000000000-mapping.dmp
        Download
      • memory/1996-3-0x0000000000000000-mapping.dmp
        Download
      • memory/2904-20-0x0000000005630000-0x0000000005631000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2904-15-0x0000000005000000-0x0000000005001000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4040-6-0x00000000047A0000-0x00000000047A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4040-12-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
        Filesize

        4KB

        Download