28ce338ed936ad061fa414f1dd7e5ac44d6487df1b5e449b50c447a6917a051e | Triage

Analysis

max time kernel
300s
max time network
300s
platform
windows7_x64
resource
win7-en-20211014
submitted
03-12-2021 17:01

Sharing

Report Analysis Logs

General

Target

FYI.exe
Size

215KB
MD5

057c210911045f8f4a62ff3cacc31829
SHA1

8f779ff6231c764901c16e688bc44aba69acb5f5
SHA256

e278e44869b4560ae8cab37e0d71ef79ede0f73a5b4176ce04db3c2818cec336
SHA512

f6c55d0440e3a8b6614ddf4b0ae218d01ae283c58fae6eaafb90be74b8edbc1bb685169a5139f21c638290b1241078237ec356ea472113c6e8889f092f1500ff

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

FYI.exe

pid process

1336 FYI.exe
1336 FYI.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

1020 dw20.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FYI.exe

description pid process

Token: SeDebugPrivilege 1336 FYI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

FYI.exe

description	pid	process	target process
PID 1336 wrote to memory of 1020	1336	FYI.exe	dw20.exe
PID 1336 wrote to memory of 1020	1336	FYI.exe	dw20.exe
PID 1336 wrote to memory of 1020	1336	FYI.exe	dw20.exe
PID 1336 wrote to memory of 1020	1336	FYI.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\FYI.exe
"C:\Users\Admin\AppData\Local\Temp\FYI.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 516
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-57-0x0000000000000000-mapping.dmp

Download
memory/1020-59-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1336-55-0x0000000076231000-0x0000000076233000-memory.dmp

Filesize
8KB

Download
memory/1336-56-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download