Analysis
-
max time kernel
71s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 06:01
General
-
Target
Shipping Document PL& BL 960.exe
-
Size
1001KB
-
MD5
eb305d3d7f3a4b7fe158d41522458d27
-
SHA1
20916b0fbaee03bdb6da50b8d1c75a1b77eeaa0c
-
SHA256
3dde92f19924860f0874ee0fe3fab80a1112c20e18d9782528bd7c471f0f2344
-
SHA512
e81c7710556d79a5d60aeb7488408087cb8450599f483c1d4875da7487bebc88225515763f77e74eabda98c6e1fe364e54a9cdece966616a2d1a9dabc1255614
Score
1/10
Malware Config
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 960.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 960.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkjAtOCJCxw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp584D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 960.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 960.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 960.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 960.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 960.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 960.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 960.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 960.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 960.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 960.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp584D.tmpMD5
67e606b442e33c2fe8cde759ee741e76
SHA1bcefc28a33b6d6b9863821188c84c8d85b254359
SHA2567fc1aeda1a0d90b110a83e64b5c6de394218d6e547a2de91b0b98edab3afbc86
SHA51204286de88b91d2a4825c9d9b2f21e6a328d26c0cb9505ccd3ca09e4a903606b840f34995d1e2b0e8787d0bed4b75f63c00cdbd9f802eeeb7b603556f60f01d46
-
memory/740-2-0x0000000074CC0000-0x00000000753AE000-memory.dmpFilesize
6.9MB
-
memory/740-3-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/740-5-0x00000000006A0000-0x00000000006B2000-memory.dmpFilesize
72KB
-
memory/740-6-0x0000000004EE0000-0x0000000004F3D000-memory.dmpFilesize
372KB
-
memory/1564-7-0x0000000000000000-mapping.dmp