eb362970c0081effbcdab7ce1f6c91d6921ff7f6e3e8e411238404f8d0549483 | Triage

Analysis

max time kernel
9s
max time network
10s
platform
windows7_x64
resource
win7v20201028
submitted
26-01-2021 14:19

Sharing

Report Analysis Logs

General

Target

luckyfr.exe
Size

214KB
MD5

13bb24e681ae113fdb4e3747badd113c
SHA1

204e1eb03aaab856e14a8236a0c2a832ddaaf6b1
SHA256

eb362970c0081effbcdab7ce1f6c91d6921ff7f6e3e8e411238404f8d0549483
SHA512

cfd952e973235be7fc2dd0faee818c46d08244073f7b18bba830a9584d29bd2832201942600df7311647cd011786922d30211f9b3f72431170442230bf1265f1

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

luckyfr.exe

pid process

644 luckyfr.exe
644 luckyfr.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

luckyfr.exe

description pid process

Token: SeDebugPrivilege 644 luckyfr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

luckyfr.exe

description	pid	process	target process
PID 644 wrote to memory of 1340	644	luckyfr.exe	dw20.exe
PID 644 wrote to memory of 1340	644	luckyfr.exe	dw20.exe
PID 644 wrote to memory of 1340	644	luckyfr.exe	dw20.exe
PID 644 wrote to memory of 1340	644	luckyfr.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\luckyfr.exe
"C:\Users\Admin\AppData\Local\Temp\luckyfr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 516
2⤵
PID:1340

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-2-0x00000000765E1000-0x00000000765E3000-memory.dmp

Filesize
8KB

Download
memory/644-3-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1340-4-0x0000000000000000-mapping.dmp

Download
memory/1340-5-0x0000000001F10000-0x0000000001F21000-memory.dmp

Filesize
68KB

Download
memory/1340-7-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download