Overview

overview

8

Static

static

8

fcc595f22b...ea.exe

windows7_x64

5

fcc595f22b...ea.exe

windows10_x64

1

Analysis

  • max time kernel
    21s
  • max time network
    23s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-03-2021 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fcc595f22b212b4e0cce8a9ac0849fea.exe

  • Size

    377KB

  • MD5

    fcc595f22b212b4e0cce8a9ac0849fea

  • SHA1

    6aa5c48c9bd9794b35d42e1a5053fccbb4a4823a

  • SHA256

    a4ab08ff70e6117f5ca89a99fa94d63ba3468a7c97e2efc4d8ed6c634bb97671

  • SHA512

    715ca8e30229c0f9f21427a253a9803ea85f6ba049ab7936816d9cf7c4a559691075ba918278ecf0ea8944c7e11c710ef87fd729c5ac265cb67fddab52e1bfee

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcc595f22b212b4e0cce8a9ac0849fea.exe
    "C:\Users\Admin\AppData\Local\Temp\fcc595f22b212b4e0cce8a9ac0849fea.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -executionpolicy bypass C:\Users\Admin\AppData\Roaming\ykZORLMXT.ps1
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/792-2-0x00000000757E1000-0x00000000757E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1496-11-0x0000000002310000-0x0000000002311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-8-0x00000000049A0000-0x00000000049A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-12-0x0000000005270000-0x0000000005271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-7-0x0000000001DB0000-0x0000000001DB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-15-0x0000000005660000-0x0000000005661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-9-0x0000000004960000-0x0000000004961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-10-0x0000000004962000-0x0000000004963000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-20-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-6-0x0000000074410000-0x0000000074AFE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1496-4-0x0000000000000000-mapping.dmp
    Download
  • memory/1496-45-0x0000000006310000-0x0000000006311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-21-0x00000000056B0000-0x00000000056B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-22-0x0000000006110000-0x0000000006111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-29-0x0000000006250000-0x0000000006251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-30-0x00000000055D0000-0x00000000055D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1496-44-0x0000000006300000-0x0000000006301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1724-3-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmp
    Filesize

    2.5MB

    Download