Analysis
-
max time kernel
21s -
max time network
23s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-03-2021 14:33
Static task
static1
Behavioral task
behavioral1
Sample
fcc595f22b212b4e0cce8a9ac0849fea.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fcc595f22b212b4e0cce8a9ac0849fea.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
fcc595f22b212b4e0cce8a9ac0849fea.exe
-
Size
377KB
-
MD5
fcc595f22b212b4e0cce8a9ac0849fea
-
SHA1
6aa5c48c9bd9794b35d42e1a5053fccbb4a4823a
-
SHA256
a4ab08ff70e6117f5ca89a99fa94d63ba3468a7c97e2efc4d8ed6c634bb97671
-
SHA512
715ca8e30229c0f9f21427a253a9803ea85f6ba049ab7936816d9cf7c4a559691075ba918278ecf0ea8944c7e11c710ef87fd729c5ac265cb67fddab52e1bfee
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1496 powershell.exe 1496 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1496 powershell.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
Processes:
fcc595f22b212b4e0cce8a9ac0849fea.exepid process 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe -
Suspicious use of SendNotifyMessage 19 IoCs
Processes:
fcc595f22b212b4e0cce8a9ac0849fea.exepid process 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe 792 fcc595f22b212b4e0cce8a9ac0849fea.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
fcc595f22b212b4e0cce8a9ac0849fea.exedescription pid process target process PID 792 wrote to memory of 1496 792 fcc595f22b212b4e0cce8a9ac0849fea.exe powershell.exe PID 792 wrote to memory of 1496 792 fcc595f22b212b4e0cce8a9ac0849fea.exe powershell.exe PID 792 wrote to memory of 1496 792 fcc595f22b212b4e0cce8a9ac0849fea.exe powershell.exe PID 792 wrote to memory of 1496 792 fcc595f22b212b4e0cce8a9ac0849fea.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcc595f22b212b4e0cce8a9ac0849fea.exe"C:\Users\Admin\AppData\Local\Temp\fcc595f22b212b4e0cce8a9ac0849fea.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy bypass C:\Users\Admin\AppData\Roaming\ykZORLMXT.ps12⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/792-2-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1496-11-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/1496-8-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/1496-12-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/1496-7-0x0000000001DB0000-0x0000000001DB1000-memory.dmpFilesize
4KB
-
memory/1496-15-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/1496-9-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/1496-10-0x0000000004962000-0x0000000004963000-memory.dmpFilesize
4KB
-
memory/1496-20-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1496-6-0x0000000074410000-0x0000000074AFE000-memory.dmpFilesize
6.9MB
-
memory/1496-4-0x0000000000000000-mapping.dmp
-
memory/1496-45-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/1496-21-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/1496-22-0x0000000006110000-0x0000000006111000-memory.dmpFilesize
4KB
-
memory/1496-29-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/1496-30-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/1496-44-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/1724-3-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmpFilesize
2.5MB