PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

General
Target

PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

Filesize

781KB

Completed

27-05-2020 16:11

Score
1/10
MD5

f31581564b5bbc14d3c862c2be157a52

SHA1

64e62fe3198a16cb205acd31400af967ad3dd347

SHA256

7c0f66eed3a2fc7c90ab5db03483aada693894a77a1480e22521ccf422a08ba3

Malware Config
Signatures 3

Filter: none

  • Suspicious use of AdjustPrivilegeToken
    PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
  • Suspicious behavior: EnumeratesProcesses
    PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

    Reported IOCs

    pidprocess
    1432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
  • Suspicious use of WriteProcessMemory
    PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1432 wrote to memory of 17761432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 17761432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 17761432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 17761432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 17921432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 17921432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 17921432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 17921432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 17841432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 17841432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 17841432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 17841432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 18001432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 18001432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 18001432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 18001432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 18161432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 18161432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 18161432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1432 wrote to memory of 18161432PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    "C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe"
    Suspicious use of AdjustPrivilegeToken
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
      "{path}"
      PID:1776
    • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
      "{path}"
      PID:1792
    • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
      "{path}"
      PID:1784
    • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
      "{path}"
      PID:1800
    • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
      "{path}"
      PID:1816
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads