Overview

overview

8

Static

static

galadriel

windows7_x64

8

Resubmissions

11-01-2021 13:09

210111-dlhjyngw66 8

11-01-2021 07:36

210111-xfhgmxjy6n 10

Analysis

  • max time kernel
    241s
  • max time network
    240s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11-01-2021 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ced2056e4efe1c93b9f4adaaeaba20c.exe

  • Size

    607KB

  • MD5

    4ced2056e4efe1c93b9f4adaaeaba20c

  • SHA1

    b975777c42d7d8fb04c34a2efc64dc5e4c574712

  • SHA256

    f6a307d243c407c27489de37adac83e9205be531cbb4e2cb71545627faf813fd

  • SHA512

    014df0ad54bf23335f964fa4e313a91b60b3ea2c62b73a306e973177830b573666aaebc1932cafa766042f34b8e32adcfabe3027aae2cc09341fd138a8963eaf

Score
8/10
evasion

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ced2056e4efe1c93b9f4adaaeaba20c.exe
    "C:\Users\Admin\AppData\Local\Temp\4ced2056e4efe1c93b9f4adaaeaba20c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRAR\wSmIzsMZSTGIPjXygtTeiEZYkIjJjD.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\WinRAR\wAcLjfo4uMcnTa1rAjnz0eLcoo04D9.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Users\Admin\AppData\Roaming\WinRAR\HoykwG9pmLZ7sZbSP8eb.exe
          HoykwG9pmLZ7sZbSP8eb.exe -p2e840a597483ac4423c7c5ec1a09b39042cbf75d
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRAR\tPKG2uMJtmCS4Bv6TMepBvdoqxAPGa.vbe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1524
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Roaming\WinRAR\mQE440b4P9lIBPO3Qboqf8inqaQoJr.bat" "
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:692
              • C:\Users\Admin\AppData\Roaming\WinRAR\winrar-x84.exe
                "C:\Users\Admin\AppData\Roaming\WinRAR\winrar-x84.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:952
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\a7611f42-198c-11eb-8a49-ee401b9e63cb\explorer.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:308
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\smss.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:1616
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\taskhost.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:1228
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Documents and Settings\spoolsv.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:1140
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "winrar-x84" /sc ONLOGON /tr "'C:\ProgramData\Favorites\winrar-x84.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:1996
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "winrar-x84" /sc ONLOGON /tr "'C:\Recovery\a7611f42-198c-11eb-8a49-ee401b9e63cb\winrar-x84.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:1236
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
                  8⤵
                  • Creates scheduled task(s)
                  PID:1712
                • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
                  "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1224
              • C:\Windows\SysWOW64\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                7⤵
                • Modifies registry key
                PID:1524

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/952-20-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/952-21-0x00000000000A0000-0x00000000000A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1224-34-0x0000000000D40000-0x0000000000D41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1224-33-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1248-6-0x0000000002790000-0x0000000002794000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1524-15-0x0000000002630000-0x0000000002634000-memory.dmp

    Filesize

    16KB

    Download