78e948358f9dee4cedfadeda96958f295d04abf52ab475c381a4f312044a5398

Resubmissions

08-01-2021 07:55

210108-t65c11rstx 10

08-01-2021 07:07

210108-36n89epqae 6

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7v20201028
submitted
08-01-2021 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df19cccb4855faee7eb6a933b487cdf4.exe
Size

3.7MB
MD5

df19cccb4855faee7eb6a933b487cdf4
SHA1

65c08dcea9c7fc3dcf2da6abfed1f0b5a8a05da8
SHA256

78e948358f9dee4cedfadeda96958f295d04abf52ab475c381a4f312044a5398
SHA512

836f650fe68301f3da8eb96044df02e03f9e435174c2b43203fb12fb602d5fa01a4185a89bb436b9fa4668e57af16f1976920a63c99e233a904e73aae3c4f551

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

df19cccb4855faee7eb6a933b487cdf4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\win32\\svchost.exe"	df19cccb4855faee7eb6a933b487cdf4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

df19cccb4855faee7eb6a933b487cdf4.exe

pid	process
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe

Suspicious behavior: RenamesItself 29 IoCs

Processes:

df19cccb4855faee7eb6a933b487cdf4.exe

pid	process
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe
1204	df19cccb4855faee7eb6a933b487cdf4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

df19cccb4855faee7eb6a933b487cdf4.exe

description	pid	process
Token: SeDebugPrivilege	1204	df19cccb4855faee7eb6a933b487cdf4.exe
Token: SeShutdownPrivilege	1204	df19cccb4855faee7eb6a933b487cdf4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

df19cccb4855faee7eb6a933b487cdf4.exe

pid process

1204 df19cccb4855faee7eb6a933b487cdf4.exe
1204 df19cccb4855faee7eb6a933b487cdf4.exe

C:\Users\Admin\AppData\Local\Temp\df19cccb4855faee7eb6a933b487cdf4.exe
"C:\Users\Admin\AppData\Local\Temp\df19cccb4855faee7eb6a933b487cdf4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-2-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1204-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1204-4-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1204-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1204-9-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1204-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download