Analysis
-
max time kernel
126s -
max time network
129s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 07:28
Static task
static1
Behavioral task
behavioral1
Sample
09000000000000h.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
09000000000000h.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
09000000000000h.exe
-
Size
593KB
-
MD5
af891ae0d2ec4596cd000335cfb9bbcc
-
SHA1
bc5414af0bf6cabe07b0088a306a06f6f3dd5407
-
SHA256
5cc38d4a28e3609654ae3975d062a71272bdaaa655d998498f2169c7679bb19e
-
SHA512
7d8d2aad1499609e9ff3b0c503a24926cc8ce1f71b1e34b17b7d2e7f6940dbd49caa72ccbd2fa93baf078b2df9e7928d11e0375b751a4e98e544955cc9dd2335
Score
7/10
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Powershell.exe09000000000000h.exepid process 1188 Powershell.exe 2024 09000000000000h.exe 2024 09000000000000h.exe 2024 09000000000000h.exe 2024 09000000000000h.exe 2024 09000000000000h.exe 2024 09000000000000h.exe 2024 09000000000000h.exe 2024 09000000000000h.exe 2024 09000000000000h.exe 2024 09000000000000h.exe 1188 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Powershell.exe09000000000000h.exedescription pid process Token: SeDebugPrivilege 1188 Powershell.exe Token: SeDebugPrivilege 2024 09000000000000h.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
09000000000000h.exedescription pid process target process PID 2024 wrote to memory of 1188 2024 09000000000000h.exe Powershell.exe PID 2024 wrote to memory of 1188 2024 09000000000000h.exe Powershell.exe PID 2024 wrote to memory of 1188 2024 09000000000000h.exe Powershell.exe PID 2024 wrote to memory of 1188 2024 09000000000000h.exe Powershell.exe PID 2024 wrote to memory of 1732 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1732 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1732 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1732 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1796 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1796 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1796 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1796 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1740 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1740 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1740 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1740 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1756 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1756 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1756 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1756 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1764 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1764 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1764 2024 09000000000000h.exe 09000000000000h.exe PID 2024 wrote to memory of 1764 2024 09000000000000h.exe 09000000000000h.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe"C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe"C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe"2⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe"C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe"2⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe"C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe"2⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe"C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe"2⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe"C:\Users\Admin\AppData\Local\Temp\09000000000000h.exe"2⤵PID:1740
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1188-9-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/1188-11-0x00000000025E0000-0x00000000025E1000-memory.dmpFilesize
4KB
-
memory/1188-28-0x0000000006200000-0x0000000006201000-memory.dmpFilesize
4KB
-
memory/1188-6-0x0000000000000000-mapping.dmp
-
memory/1188-7-0x0000000074230000-0x000000007491E000-memory.dmpFilesize
6.9MB
-
memory/1188-8-0x0000000000F30000-0x0000000000F31000-memory.dmpFilesize
4KB
-
memory/1188-21-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/1188-20-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/1188-15-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/1188-12-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/2024-10-0x0000000000480000-0x000000000048F000-memory.dmpFilesize
60KB
-
memory/2024-2-0x0000000074230000-0x000000007491E000-memory.dmpFilesize
6.9MB
-
memory/2024-3-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/2024-5-0x0000000004C40000-0x0000000004CD1000-memory.dmpFilesize
580KB