Analysis
-
max time kernel
128s -
max time network
127s -
platform
windows7_x64 -
resource
win7 -
submitted
09-07-2020 11:15
General
-
Target
fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
-
Size
1.3MB
-
MD5
2042fdc08ed48544a98307aec4610251
-
SHA1
50a6c64a62347c6c87abb65d04803ff23832a7e8
-
SHA256
fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
-
SHA512
b102fc8105b0a7cca5c33711e83af818dd9c37ff377d252edec69cbb05052387013426bbce38650c0360fb8c94f4796a8232b93f4c5d438caf031a50c4cae591
Malware Config
Signatures
-
Contains code to disable Windows Defender 16 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
SamoRAT
SamoRAT is a .NET malware used to receive and execute different commands on the infected system.
-
ServiceHost packer 16 IoCs
Detects ServiceHost packer used for .NET malware
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 7 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe"C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ProAlts.xyz Token Generator.exe"C:\ProgramData\ProAlts.xyz Token Generator.exe"2⤵
- Executes dropped EXE
-
-
C:\ProgramData\WinServices.exe"C:\ProgramData\WinServices.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 108 -s 16123⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
68KB
-
-
Filesize
68KB
-
-