Analysis
-
max time kernel
55s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 07:33
Static task
static1
Behavioral task
behavioral1
Sample
(G0170-PF3F-20-0260)2T.exe
Resource
win7v20201028
General
-
Target
(G0170-PF3F-20-0260)2T.exe
-
Size
913KB
-
MD5
a0a82102cb43369d8f015e6b0ccbc92f
-
SHA1
f455daf508f31a8c5346a38ac50254aabd8d0e66
-
SHA256
4152dfeafe557dc1f2f56dbf30de70914fbfc379c144678588b3629bccf7e905
-
SHA512
9911d136c9059944e43030a2133f6124f7621882c419da9cb2538a4e57bcf388161e71514dc58805c6e80ef23cfb7cbd5f857204d5f8fa870a65cacb33e05a16
Malware Config
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
(G0170-PF3F-20-0260)2T.exepid process 2028 (G0170-PF3F-20-0260)2T.exe 2028 (G0170-PF3F-20-0260)2T.exe 2028 (G0170-PF3F-20-0260)2T.exe 2028 (G0170-PF3F-20-0260)2T.exe 2028 (G0170-PF3F-20-0260)2T.exe 2028 (G0170-PF3F-20-0260)2T.exe 2028 (G0170-PF3F-20-0260)2T.exe 2028 (G0170-PF3F-20-0260)2T.exe 2028 (G0170-PF3F-20-0260)2T.exe 2028 (G0170-PF3F-20-0260)2T.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
(G0170-PF3F-20-0260)2T.exedescription pid process Token: SeDebugPrivilege 2028 (G0170-PF3F-20-0260)2T.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
(G0170-PF3F-20-0260)2T.exedescription pid process target process PID 2028 wrote to memory of 1904 2028 (G0170-PF3F-20-0260)2T.exe schtasks.exe PID 2028 wrote to memory of 1904 2028 (G0170-PF3F-20-0260)2T.exe schtasks.exe PID 2028 wrote to memory of 1904 2028 (G0170-PF3F-20-0260)2T.exe schtasks.exe PID 2028 wrote to memory of 1904 2028 (G0170-PF3F-20-0260)2T.exe schtasks.exe PID 2028 wrote to memory of 1020 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 1020 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 1020 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 1020 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 428 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 428 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 428 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 428 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 336 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 336 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 336 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 336 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 112 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 112 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 112 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 112 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 576 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 576 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 576 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe PID 2028 wrote to memory of 576 2028 (G0170-PF3F-20-0260)2T.exe (G0170-PF3F-20-0260)2T.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yFiOVBdRo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB32.tmp"2⤵
- Creates scheduled task(s)
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"2⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"2⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"2⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"2⤵PID:112
-
C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"C:\Users\Admin\AppData\Local\Temp\(G0170-PF3F-20-0260)2T.exe"2⤵PID:576
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDB32.tmpMD5
12ca409147558368521ac8ad68b97292
SHA1f6f66f2b84e60cd3ee4266f15482920efffa4b25
SHA256c7e3999e4a088b80ee09242f0c82173788d4741645f822f3f33f8eef88bb6596
SHA512313935e7b41d850cf5bdef8dc900c34aec7a094723b8c083fbd9faefc23cbf5382f2dcbe22a77e81d2b1f82c105d412dd4f67e6a946d1e50a3c1f9088b414328
-
memory/1904-8-0x0000000000000000-mapping.dmp
-
memory/2028-2-0x0000000074EE0000-0x00000000755CE000-memory.dmpFilesize
6.9MB
-
memory/2028-3-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/2028-5-0x0000000000520000-0x0000000000543000-memory.dmpFilesize
140KB
-
memory/2028-6-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/2028-7-0x0000000004EC0000-0x0000000004F26000-memory.dmpFilesize
408KB