abdae1b1965bafd334bb46028ddeffc82d495bf84aaa3f44403d9a17963f12c5

General

Target

Acount Details.com.exe
Size

291KB
MD5

d15fc838aacf85c873bca9adfe7b9997
SHA1

43ff525b542d1e73c4345fd3312788876cf422a5
SHA256

abdae1b1965bafd334bb46028ddeffc82d495bf84aaa3f44403d9a17963f12c5
SHA512

831e8bb86b3fb42a678052db8c8d703546320525cfd211d51b7dea56abeddb0a4ecfa37f45de3543768db784eee15d70bd7033906b1ecc31fa0019744cd5f92f

Score

7^/10

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Acount Details.com.exewlanext.exe

pid process

1832 Acount Details.com.exe
1832 Acount Details.com.exe
1832 Acount Details.com.exe
1868 wlanext.exe
1868 wlanext.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1784 cmd.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1316 Explorer.EXE
1316 Explorer.EXE
1316 Explorer.EXE
1316 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1316 Explorer.EXE
1316 Explorer.EXE
1316 Explorer.EXE
1316 Explorer.EXE

pid	process
1832	Acount Details.com.exe
1832	Acount Details.com.exe
1832	Acount Details.com.exe
1868	wlanext.exe
1868	wlanext.exe

pid	process
1784	cmd.exe

pid	process
1316	Explorer.EXE
1316	Explorer.EXE
1316	Explorer.EXE
1316	Explorer.EXE

pid	process
1316	Explorer.EXE
1316	Explorer.EXE
1316	Explorer.EXE
1316	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Acount Details.com.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 1528 wrote to memory of 1820	1528	Acount Details.com.exe	Acount Details.com.exe
PID 1528 wrote to memory of 1820	1528	Acount Details.com.exe	Acount Details.com.exe
PID 1528 wrote to memory of 1820	1528	Acount Details.com.exe	Acount Details.com.exe
PID 1528 wrote to memory of 1820	1528	Acount Details.com.exe	Acount Details.com.exe
PID 1528 wrote to memory of 1832	1528	Acount Details.com.exe	Acount Details.com.exe
PID 1528 wrote to memory of 1832	1528	Acount Details.com.exe	Acount Details.com.exe
PID 1528 wrote to memory of 1832	1528	Acount Details.com.exe	Acount Details.com.exe
PID 1528 wrote to memory of 1832	1528	Acount Details.com.exe	Acount Details.com.exe
PID 1528 wrote to memory of 1832	1528	Acount Details.com.exe	Acount Details.com.exe
PID 1528 wrote to memory of 1832	1528	Acount Details.com.exe	Acount Details.com.exe
PID 1528 wrote to memory of 1832	1528	Acount Details.com.exe	Acount Details.com.exe
PID 1316 wrote to memory of 1868	1316	Explorer.EXE	wlanext.exe
PID 1316 wrote to memory of 1868	1316	Explorer.EXE	wlanext.exe
PID 1316 wrote to memory of 1868	1316	Explorer.EXE	wlanext.exe
PID 1316 wrote to memory of 1868	1316	Explorer.EXE	wlanext.exe
PID 1868 wrote to memory of 1784	1868	wlanext.exe	cmd.exe
PID 1868 wrote to memory of 1784	1868	wlanext.exe	cmd.exe
PID 1868 wrote to memory of 1784	1868	wlanext.exe	cmd.exe
PID 1868 wrote to memory of 1784	1868	wlanext.exe	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Acount Details.com.exeAcount Details.com.exewlanext.exe

description	pid	process
Token: SeDebugPrivilege	1528	Acount Details.com.exe
Token: SeDebugPrivilege	1832	Acount Details.com.exe
Token: SeDebugPrivilege	1868	wlanext.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Acount Details.com.exeAcount Details.com.exewlanext.exe

pid	process
1528	Acount Details.com.exe
1832	Acount Details.com.exe
1832	Acount Details.com.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe
1868	wlanext.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Acount Details.com.exeAcount Details.com.exewlanext.exe

description	pid	process	target process
PID 1528 set thread context of 1832	1528	Acount Details.com.exe	Acount Details.com.exe
PID 1832 set thread context of 1316	1832	Acount Details.com.exe	Explorer.EXE
PID 1868 set thread context of 1316	1868	wlanext.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe
"C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1528

C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe
"{path}"
3⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe
"{path}"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1832

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1868

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe"
3⤵
- Deletes itself
PID:1784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1784-4-0x0000000000000000-mapping.dmp

Download
memory/1832-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1832-1-0x000000000041B680-mapping.dmp

Download
memory/1868-2-0x0000000000000000-mapping.dmp

Download
memory/1868-3-0x0000000000920000-0x0000000000936000-memory.dmp

Filesize
88KB

Download
memory/1868-5-0x0000000002EF0000-0x0000000003053000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads