Analysis
-
max time kernel
64s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
new po.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
new po.exe
-
Size
3.7MB
-
MD5
db7c5591589c1bc7be457ad87d8fff0e
-
SHA1
065fbdf5b64cc5c9cf4f983f229a89d7252f62a6
-
SHA256
3da8fa82f62835bcf35377d5376e002aeccff9228bd65650bbb95a6a222808af
-
SHA512
17d5604178dc9789e107a17d07cc43132676d51ff29205f802f59a2b2c0d09dc72b87099be6d2ec1975999ee5ff88ffda9d168d44ad429745999a42e3758d2dc
Malware Config
Signatures
-
Processes:
new po.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA new po.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" new po.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
new po.exedescription pid process target process PID 292 set thread context of 1740 292 new po.exe new po.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
new po.exedescription pid process target process PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe PID 292 wrote to memory of 1740 292 new po.exe new po.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
new po.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" new po.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" new po.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" new po.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new po.exe"C:\Users\Admin\AppData\Local\Temp\new po.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Users\Admin\AppData\Local\Temp\new po.exe"{path}"2⤵
- Checks whether UAC is enabled
- System policy modification
PID:1740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/292-2-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB
-
memory/292-3-0x0000000001000000-0x0000000001001000-memory.dmpFilesize
4KB
-
memory/292-5-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/292-6-0x00000000004F0000-0x00000000004FE000-memory.dmpFilesize
56KB
-
memory/292-7-0x0000000009C00000-0x0000000009F99000-memory.dmpFilesize
3.6MB
-
memory/1740-8-0x0000000000400000-0x00000000007B5000-memory.dmpFilesize
3.7MB
-
memory/1740-9-0x0000000000688844-mapping.dmp
-
memory/1740-10-0x0000000076861000-0x0000000076863000-memory.dmpFilesize
8KB
-
memory/1740-11-0x0000000000400000-0x00000000007B5000-memory.dmpFilesize
3.7MB
-
memory/1740-12-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB