Analysis
-
max time kernel
25s -
max time network
23s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 18:20
Static task
static1
Behavioral task
behavioral1
Sample
d408a6a1_extracted.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d408a6a1_extracted.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
d408a6a1_extracted.exe
-
Size
150KB
-
MD5
ab37b2049e98c636ac5beaddae4da748
-
SHA1
ef849289e463c0b9474646e5f3e5012f86efe57f
-
SHA256
3d649dfd896254e08e979f74e73dd4d9d46c14c49c10f7682d333a7f7edda072
-
SHA512
25a3e6f99bc8a6cc03b69847af30f846f8a12acfae6207e6405b68d2ea1e386f5400f38814ac8e0f239b7591a2f2196b1670fbcd9482e3ca8debc09942cd15ff
Score
1/10
Malware Config
Signatures
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1088 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d408a6a1_extracted.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1932 d408a6a1_extracted.exe Token: SeDebugPrivilege 1088 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d408a6a1_extracted.execmd.exedescription pid process target process PID 1932 wrote to memory of 460 1932 d408a6a1_extracted.exe cmd.exe PID 1932 wrote to memory of 460 1932 d408a6a1_extracted.exe cmd.exe PID 1932 wrote to memory of 460 1932 d408a6a1_extracted.exe cmd.exe PID 1932 wrote to memory of 460 1932 d408a6a1_extracted.exe cmd.exe PID 460 wrote to memory of 1088 460 cmd.exe taskkill.exe PID 460 wrote to memory of 1088 460 cmd.exe taskkill.exe PID 460 wrote to memory of 1088 460 cmd.exe taskkill.exe PID 460 wrote to memory of 1088 460 cmd.exe taskkill.exe PID 460 wrote to memory of 1124 460 cmd.exe choice.exe PID 460 wrote to memory of 1124 460 cmd.exe choice.exe PID 460 wrote to memory of 1124 460 cmd.exe choice.exe PID 460 wrote to memory of 1124 460 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d408a6a1_extracted.exe"C:\Users\Admin\AppData\Local\Temp\d408a6a1_extracted.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1932 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\d408a6a1_extracted.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 19323⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/460-7-0x0000000000000000-mapping.dmp
-
memory/1088-8-0x0000000000000000-mapping.dmp
-
memory/1124-9-0x0000000000000000-mapping.dmp
-
memory/1932-2-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/1932-3-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/1932-5-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/1932-6-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB