Analysis
-
max time kernel
29s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 18:19
Static task
static1
Behavioral task
behavioral1
Sample
01a083f4_extracted.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
01a083f4_extracted.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
01a083f4_extracted.exe
-
Size
146KB
-
MD5
c5c6f5d743b1d2391b150c9740db22ba
-
SHA1
f033a2fab1ad3a6e8d4ab08730654fc6f3482a4e
-
SHA256
b2ffebf2df5b70d6866b2bb65a56ecafa59371fc78f3690790bb273c715df683
-
SHA512
6bf5d23f2f82b02dd194716d747b99858823915fccb09b39a842f5a221b2d933e8c53d0158fe4806bde644f96aa9d28699ec4ab702d71e55d93feb0f384f843e
Score
1/10
Malware Config
Signatures
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2940 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
01a083f4_extracted.exetaskkill.exedescription pid process Token: SeDebugPrivilege 652 01a083f4_extracted.exe Token: SeDebugPrivilege 2940 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
01a083f4_extracted.execmd.exedescription pid process target process PID 652 wrote to memory of 208 652 01a083f4_extracted.exe cmd.exe PID 652 wrote to memory of 208 652 01a083f4_extracted.exe cmd.exe PID 652 wrote to memory of 208 652 01a083f4_extracted.exe cmd.exe PID 208 wrote to memory of 2940 208 cmd.exe taskkill.exe PID 208 wrote to memory of 2940 208 cmd.exe taskkill.exe PID 208 wrote to memory of 2940 208 cmd.exe taskkill.exe PID 208 wrote to memory of 2640 208 cmd.exe choice.exe PID 208 wrote to memory of 2640 208 cmd.exe choice.exe PID 208 wrote to memory of 2640 208 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01a083f4_extracted.exe"C:\Users\Admin\AppData\Local\Temp\01a083f4_extracted.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 652 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\01a083f4_extracted.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 6523⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/208-12-0x0000000000000000-mapping.dmp
-
memory/652-2-0x0000000073DC0000-0x00000000744AE000-memory.dmpFilesize
6.9MB
-
memory/652-3-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/652-5-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/652-6-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/652-7-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/652-8-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/652-9-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/652-10-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/652-11-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/2640-14-0x0000000000000000-mapping.dmp
-
memory/2940-13-0x0000000000000000-mapping.dmp