Overview

overview

10

Static

static

PO HALLEY PROJ...z2.exe

windows7_x64

1

PO HALLEY PROJ...z2.exe

windows10_x64

10
General
Target

PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

Filesize

781KB

Completed

03-06-2020 12:06

Task

behavioral1

Score
1/10
MD5

f31581564b5bbc14d3c862c2be157a52

SHA1

64e62fe3198a16cb205acd31400af967ad3dd347

SHA256

7c0f66eed3a2fc7c90ab5db03483aada693894a77a1480e22521ccf422a08ba3

SHA256

ded28a91894313cbdd5678ec191c1e138d524ce3785ca96a255b2bc09cf5f18b8d287a48cf6b754d658f5ab70d95f933899208dc54c21f6b113a0e87200f3f1a

Malware Config
Signatures 3

Filter: none

  • Suspicious use of AdjustPrivilegeToken
    PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
  • Suspicious behavior: EnumeratesProcesses
    PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

    Reported IOCs

    pidprocess
    1400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
  • Suspicious use of WriteProcessMemory
    PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1400 wrote to memory of 16161400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 16161400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 16161400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 16161400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15681400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15681400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15681400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15681400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15641400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15641400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15641400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15641400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15441400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15441400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15441400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15441400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15841400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15841400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15841400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1400 wrote to memory of 15841400PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    "C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe"
    Suspicious use of AdjustPrivilegeToken
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
      "{path}"
      PID:1616
    • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
      "{path}"
      PID:1568
    • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
      "{path}"
      PID:1564
    • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
      "{path}"
      PID:1544
    • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
      "{path}"
      PID:1584
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads