Analysis
-
max time kernel
28s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 18:20
Static task
static1
Behavioral task
behavioral1
Sample
d408a6a1_extracted.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d408a6a1_extracted.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
d408a6a1_extracted.exe
-
Size
150KB
-
MD5
ab37b2049e98c636ac5beaddae4da748
-
SHA1
ef849289e463c0b9474646e5f3e5012f86efe57f
-
SHA256
3d649dfd896254e08e979f74e73dd4d9d46c14c49c10f7682d333a7f7edda072
-
SHA512
25a3e6f99bc8a6cc03b69847af30f846f8a12acfae6207e6405b68d2ea1e386f5400f38814ac8e0f239b7591a2f2196b1670fbcd9482e3ca8debc09942cd15ff
Score
1/10
Malware Config
Signatures
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 64 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d408a6a1_extracted.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1788 d408a6a1_extracted.exe Token: SeDebugPrivilege 64 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d408a6a1_extracted.execmd.exedescription pid process target process PID 1788 wrote to memory of 1268 1788 d408a6a1_extracted.exe cmd.exe PID 1788 wrote to memory of 1268 1788 d408a6a1_extracted.exe cmd.exe PID 1788 wrote to memory of 1268 1788 d408a6a1_extracted.exe cmd.exe PID 1268 wrote to memory of 64 1268 cmd.exe taskkill.exe PID 1268 wrote to memory of 64 1268 cmd.exe taskkill.exe PID 1268 wrote to memory of 64 1268 cmd.exe taskkill.exe PID 1268 wrote to memory of 3184 1268 cmd.exe choice.exe PID 1268 wrote to memory of 3184 1268 cmd.exe choice.exe PID 1268 wrote to memory of 3184 1268 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d408a6a1_extracted.exe"C:\Users\Admin\AppData\Local\Temp\d408a6a1_extracted.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1788 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\d408a6a1_extracted.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 17883⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/64-12-0x0000000000000000-mapping.dmp
-
memory/1268-11-0x0000000000000000-mapping.dmp
-
memory/1788-2-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/1788-3-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/1788-5-0x0000000005E60000-0x0000000005E61000-memory.dmpFilesize
4KB
-
memory/1788-6-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/1788-7-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/1788-8-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/1788-9-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/1788-10-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/3184-13-0x0000000000000000-mapping.dmp