Overview

overview

7

Static

static

fbgwls245

windows10_x64

7

Resubmissions

23/04/2020, 11:35

200423-dt293wkflj 7

Analysis

  • max time kernel
    31s
  • max time network
    80s
  • platform
    windows10_x64
  • resource
    win10v200410
  • submitted
    23/04/2020, 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe

  • Size

    5.8MB

  • MD5

    e0fcab5451ba3ef48206e7f177d236a4

  • SHA1

    f2be770730720167c2bdd45fb691916cec21d23d

  • SHA256

    7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d

  • SHA512

    143f380bce1ef43ff2910da4fea7d4245eacc2208cfc8df20e1ae095470233e9b1b2568f143333f58499df4956491e4893a5cf8735071e8d7102b58e28344086

Score
7/10
persistence

Malware Config

Signatures

  • Makes http(s) request 1 IoCs

    Contacts server via http/https, possibly for C2 communication.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies Winlogon 2 TTPs 1 IoCs
    persistence
  • Drops startup file 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
    "C:\Users\Admin\AppData\Local\Temp\7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Users\Admin\AppData\Local\Temp\7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
      "C:\Users\Admin\AppData\Local\Temp\7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe"
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      • Loads dropped DLL
      PID:3992
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c shutdown -r -t 0
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown -r -t 0
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3840
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3b3a855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Modifies Winlogon
    • Suspicious use of SetWindowsHookEx
    PID:3868

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads