d823d3c8c26635339f3de0090fb21441f5d2f4db1a0567b2028ca8e3e7f5670e

General

Target

Bidding of 38D OBA project.exe
Size

786KB
MD5

13d24f937b11359da9f65cc862f9edbd
SHA1

0cf3e49eca8c60e6b7eb19efc2d85d0f953ee3aa
SHA256

d823d3c8c26635339f3de0090fb21441f5d2f4db1a0567b2028ca8e3e7f5670e
SHA512

1c8a2fa79e8189914ae6ed8aaf13182d99f885ac4c8b03faad2ce5f5684fb5054e24e5c04209565c63c586913bfc667e08ac816ba005f21eb8907e9861e0adc8

Score

5^/10

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 2208	3824	Bidding of 38D OBA project.exe	72
PID 3824 wrote to memory of 2208	3824	Bidding of 38D OBA project.exe	72
PID 3824 wrote to memory of 2208	3824	Bidding of 38D OBA project.exe	72
PID 3824 wrote to memory of 2208	3824	Bidding of 38D OBA project.exe	72
PID 3824 wrote to memory of 2208	3824	Bidding of 38D OBA project.exe	72
PID 3824 wrote to memory of 2208	3824	Bidding of 38D OBA project.exe	72
PID 3008 wrote to memory of 2700	3008	Explorer.EXE	74
PID 3008 wrote to memory of 2700	3008	Explorer.EXE	74
PID 3008 wrote to memory of 2700	3008	Explorer.EXE	74
PID 2700 wrote to memory of 3028	2700	control.exe	75
PID 2700 wrote to memory of 3028	2700	control.exe	75
PID 2700 wrote to memory of 3028	2700	control.exe	75

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3824 set thread context of 2208	3824	Bidding of 38D OBA project.exe	72
PID 2208 set thread context of 3008	2208	Bidding of 38D OBA project.exe	56
PID 2700 set thread context of 3008	2700	control.exe	56

Suspicious behavior: EnumeratesProcesses 46 IoCs

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	Bidding of 38D OBA project.exe
Token: SeDebugPrivilege	2700	control.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3008
- C:\Users\Admin\AppData\Local\Temp\Bidding of 38D OBA project.exe
  "C:\Users\Admin\AppData\Local\Temp\Bidding of 38D OBA project.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetThreadContext
  PID:3824
- - C:\Users\Admin\AppData\Local\Temp\Bidding of 38D OBA project.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: MapViewOfSection
    PID:2208
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2712
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: MapViewOfSection
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Bidding of 38D OBA project.exe"
    3⤵
    PID:3028

memory/2208-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2700-4-0x00000000000D0000-0x00000000000F0000-memory.dmp

Filesize
128KB

Download
memory/2700-5-0x00000000000D0000-0x00000000000F0000-memory.dmp

Filesize
128KB

Download
memory/2700-7-0x00000000053B0000-0x000000000553C000-memory.dmp

Filesize
1.5MB

Download