Analysis
-
max time kernel
126s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 20:11
Static task
static1
Behavioral task
behavioral1
Sample
Scan34295420.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Scan34295420.scr
Resource
win10v20201028
General
-
Target
Scan34295420.scr
-
Size
875KB
-
MD5
389ca41e54649946a7b8b1c15d0da2df
-
SHA1
3ce9137efc80c5e169cb9b0a200339fae09c1202
-
SHA256
75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
-
SHA512
6fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\windows.exe," reg.exe -
Executes dropped EXE 6 IoCs
Processes:
windows.exewindows.exewindows.exewindows.exewindows.exewindows.exepid process 784 windows.exe 768 windows.exe 1952 windows.exe 2028 windows.exe 644 windows.exe 1492 windows.exe -
Loads dropped DLL 1 IoCs
Processes:
windows.exepid process 1380 windows.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Scan34295420.scrwindows.exewindows.exewindows.exewindows.exewindows.exewindows.exewindows.exepid process 1852 Scan34295420.scr 1380 windows.exe 1380 windows.exe 1380 windows.exe 784 windows.exe 768 windows.exe 768 windows.exe 768 windows.exe 1952 windows.exe 2028 windows.exe 2028 windows.exe 2028 windows.exe 644 windows.exe 1492 windows.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Scan34295420.scrpid process 1852 Scan34295420.scr -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Scan34295420.scrwindows.exewindows.exewindows.exewindows.exewindows.exewindows.exewindows.exedescription pid process Token: SeDebugPrivilege 1852 Scan34295420.scr Token: SeDebugPrivilege 1380 windows.exe Token: SeDebugPrivilege 784 windows.exe Token: SeDebugPrivilege 768 windows.exe Token: SeDebugPrivilege 1952 windows.exe Token: SeDebugPrivilege 2028 windows.exe Token: SeDebugPrivilege 644 windows.exe Token: SeDebugPrivilege 1492 windows.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
Scan34295420.scrcmd.exewindows.exewindows.exewindows.exewindows.exewindows.exewindows.exedescription pid process target process PID 1852 wrote to memory of 1384 1852 Scan34295420.scr cmd.exe PID 1852 wrote to memory of 1384 1852 Scan34295420.scr cmd.exe PID 1852 wrote to memory of 1384 1852 Scan34295420.scr cmd.exe PID 1852 wrote to memory of 1384 1852 Scan34295420.scr cmd.exe PID 1384 wrote to memory of 1984 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1984 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1984 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1984 1384 cmd.exe reg.exe PID 1852 wrote to memory of 1380 1852 Scan34295420.scr windows.exe PID 1852 wrote to memory of 1380 1852 Scan34295420.scr windows.exe PID 1852 wrote to memory of 1380 1852 Scan34295420.scr windows.exe PID 1852 wrote to memory of 1380 1852 Scan34295420.scr windows.exe PID 1380 wrote to memory of 784 1380 windows.exe windows.exe PID 1380 wrote to memory of 784 1380 windows.exe windows.exe PID 1380 wrote to memory of 784 1380 windows.exe windows.exe PID 1380 wrote to memory of 784 1380 windows.exe windows.exe PID 784 wrote to memory of 768 784 windows.exe windows.exe PID 784 wrote to memory of 768 784 windows.exe windows.exe PID 784 wrote to memory of 768 784 windows.exe windows.exe PID 784 wrote to memory of 768 784 windows.exe windows.exe PID 768 wrote to memory of 1952 768 windows.exe windows.exe PID 768 wrote to memory of 1952 768 windows.exe windows.exe PID 768 wrote to memory of 1952 768 windows.exe windows.exe PID 768 wrote to memory of 1952 768 windows.exe windows.exe PID 1952 wrote to memory of 2028 1952 windows.exe windows.exe PID 1952 wrote to memory of 2028 1952 windows.exe windows.exe PID 1952 wrote to memory of 2028 1952 windows.exe windows.exe PID 1952 wrote to memory of 2028 1952 windows.exe windows.exe PID 2028 wrote to memory of 644 2028 windows.exe windows.exe PID 2028 wrote to memory of 644 2028 windows.exe windows.exe PID 2028 wrote to memory of 644 2028 windows.exe windows.exe PID 2028 wrote to memory of 644 2028 windows.exe windows.exe PID 644 wrote to memory of 1492 644 windows.exe windows.exe PID 644 wrote to memory of 1492 644 windows.exe windows.exe PID 644 wrote to memory of 1492 644 windows.exe windows.exe PID 644 wrote to memory of 1492 644 windows.exe windows.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan34295420.scr"C:\Users\Admin\AppData\Local\Temp\Scan34295420.scr" /S1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\windows.exe,"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\windows.exe,"3⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\windows.exeMD5
389ca41e54649946a7b8b1c15d0da2df
SHA13ce9137efc80c5e169cb9b0a200339fae09c1202
SHA25675674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
SHA5126fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95
-
C:\Users\Admin\AppData\Local\Temp\windows.exeMD5
389ca41e54649946a7b8b1c15d0da2df
SHA13ce9137efc80c5e169cb9b0a200339fae09c1202
SHA25675674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
SHA5126fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95
-
C:\Users\Admin\AppData\Local\Temp\windows.exeMD5
389ca41e54649946a7b8b1c15d0da2df
SHA13ce9137efc80c5e169cb9b0a200339fae09c1202
SHA25675674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
SHA5126fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95
-
C:\Users\Admin\AppData\Roaming\windows.exeMD5
389ca41e54649946a7b8b1c15d0da2df
SHA13ce9137efc80c5e169cb9b0a200339fae09c1202
SHA25675674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
SHA5126fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95
-
C:\Users\Admin\AppData\Roaming\windows.exeMD5
389ca41e54649946a7b8b1c15d0da2df
SHA13ce9137efc80c5e169cb9b0a200339fae09c1202
SHA25675674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
SHA5126fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95
-
C:\Users\Admin\AppData\Roaming\windows.exeMD5
389ca41e54649946a7b8b1c15d0da2df
SHA13ce9137efc80c5e169cb9b0a200339fae09c1202
SHA25675674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
SHA5126fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95
-
C:\Users\Admin\AppData\Roaming\windows.exeMD5
389ca41e54649946a7b8b1c15d0da2df
SHA13ce9137efc80c5e169cb9b0a200339fae09c1202
SHA25675674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
SHA5126fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95
-
C:\Users\Admin\AppData\Roaming\windows.exeMD5
389ca41e54649946a7b8b1c15d0da2df
SHA13ce9137efc80c5e169cb9b0a200339fae09c1202
SHA25675674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
SHA5126fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95
-
C:\Users\Admin\AppData\Roaming\windows.exeMD5
389ca41e54649946a7b8b1c15d0da2df
SHA13ce9137efc80c5e169cb9b0a200339fae09c1202
SHA25675674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
SHA5126fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95
-
\Users\Admin\AppData\Roaming\windows.exeMD5
389ca41e54649946a7b8b1c15d0da2df
SHA13ce9137efc80c5e169cb9b0a200339fae09c1202
SHA25675674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
SHA5126fc158d738aa3112ad81b84e8c2b68f73828c40dec9654abd8d6ee2147b50f47b7e7df87cb277b5bd9cd4e95f73905438f12346407aac0ca545c6a0591210c95
-
memory/644-46-0x0000000000000000-mapping.dmp
-
memory/644-49-0x0000000074840000-0x0000000074F2E000-memory.dmpFilesize
6.9MB
-
memory/644-50-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/768-26-0x0000000074840000-0x0000000074F2E000-memory.dmpFilesize
6.9MB
-
memory/768-24-0x0000000000000000-mapping.dmp
-
memory/784-20-0x0000000000BD0000-0x0000000000BD1000-memory.dmpFilesize
4KB
-
memory/784-19-0x0000000074840000-0x0000000074F2E000-memory.dmpFilesize
6.9MB
-
memory/784-16-0x0000000000000000-mapping.dmp
-
memory/1380-10-0x0000000074840000-0x0000000074F2E000-memory.dmpFilesize
6.9MB
-
memory/1380-9-0x0000000000000000-mapping.dmp
-
memory/1384-7-0x0000000000000000-mapping.dmp
-
memory/1492-56-0x0000000074840000-0x0000000074F2E000-memory.dmpFilesize
6.9MB
-
memory/1492-54-0x0000000000000000-mapping.dmp
-
memory/1852-2-0x0000000074840000-0x0000000074F2E000-memory.dmpFilesize
6.9MB
-
memory/1852-3-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/1852-6-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/1852-5-0x00000000002F0000-0x000000000030E000-memory.dmpFilesize
120KB
-
memory/1952-31-0x0000000000000000-mapping.dmp
-
memory/1952-34-0x0000000074840000-0x0000000074F2E000-memory.dmpFilesize
6.9MB
-
memory/1952-35-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/1984-8-0x0000000000000000-mapping.dmp
-
memory/2028-41-0x0000000074840000-0x0000000074F2E000-memory.dmpFilesize
6.9MB
-
memory/2028-39-0x0000000000000000-mapping.dmp