Overview

overview

10

Static

static

(G0170-PF3...2T.exe

windows7_x64

1

(G0170-PF3...2T.exe

windows10_x64

10

Analysis

  • max time kernel
    55s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    (G0170-PF3F-20-0260)2T.exe

  • Size

    913KB

  • MD5

    a0a82102cb43369d8f015e6b0ccbc92f

  • SHA1

    f455daf508f31a8c5346a38ac50254aabd8d0e66

  • SHA256

    4152dfeafe557dc1f2f56dbf30de70914fbfc379c144678588b3629bccf7e905

  • SHA512

    9911d136c9059944e43030a2133f6124f7621882c419da9cb2538a4e57bcf388161e71514dc58805c6e80ef23cfb7cbd5f857204d5f8fa870a65cacb33e05a16

Score
1/10

Malware Config

Signatures

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe
    "C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yFiOVBdRo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB32.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1904
    • C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe
      "C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"
      2⤵
        PID:1020
      • C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe
        "C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"
        2⤵
          PID:428
        • C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe
          "C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"
          2⤵
            PID:336
          • C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe
            "C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"
            2⤵
              PID:112
            • C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe
              "C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"
              2⤵
                PID:576

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpDB32.tmp
              MD5

              12ca409147558368521ac8ad68b97292

              SHA1

              f6f66f2b84e60cd3ee4266f15482920efffa4b25

              SHA256

              c7e3999e4a088b80ee09242f0c82173788d4741645f822f3f33f8eef88bb6596

              SHA512

              313935e7b41d850cf5bdef8dc900c34aec7a094723b8c083fbd9faefc23cbf5382f2dcbe22a77e81d2b1f82c105d412dd4f67e6a946d1e50a3c1f9088b414328

              Download Submit
            • memory/1904-8-0x0000000000000000-mapping.dmp
              Download
            • memory/2028-2-0x0000000074EE0000-0x00000000755CE000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/2028-3-0x00000000003B0000-0x00000000003B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2028-5-0x0000000000520000-0x0000000000543000-memory.dmp
              Filesize

              140KB

              Download
            • memory/2028-6-0x0000000004750000-0x0000000004751000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2028-7-0x0000000004EC0000-0x0000000004F26000-memory.dmp
              Filesize

              408KB

              Download