b8fb24fed506f2b66406af4f29a8a0522564d337d9f374c3936b369e10a69437

General

Target

PO_2020-JANUGHU.exe
Size

804KB
MD5

67c9976e236f532d67bfc92b7ce96d77
SHA1

31a1f3dbeed7e359ad0115eb133aa348383a4f5b
SHA256

b8fb24fed506f2b66406af4f29a8a0522564d337d9f374c3936b369e10a69437
SHA512

1c3e24e34653f0f2497da7c8971b242e2d560d61d7b38626eaa4cc1ddcb655fe1fdc16eabab7197e03c9d35118e6e3e746a6166ae7949d1ab419c78b22be8f68

Score

1^/10

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1532	1612	PO_2020-JANUGHU.exe	24
PID 1612 wrote to memory of 1532	1612	PO_2020-JANUGHU.exe	24
PID 1612 wrote to memory of 1532	1612	PO_2020-JANUGHU.exe	24
PID 1612 wrote to memory of 1532	1612	PO_2020-JANUGHU.exe	24
PID 1612 wrote to memory of 1780	1612	PO_2020-JANUGHU.exe	26
PID 1612 wrote to memory of 1780	1612	PO_2020-JANUGHU.exe	26
PID 1612 wrote to memory of 1780	1612	PO_2020-JANUGHU.exe	26
PID 1612 wrote to memory of 1780	1612	PO_2020-JANUGHU.exe	26
PID 1612 wrote to memory of 1792	1612	PO_2020-JANUGHU.exe	27
PID 1612 wrote to memory of 1792	1612	PO_2020-JANUGHU.exe	27
PID 1612 wrote to memory of 1792	1612	PO_2020-JANUGHU.exe	27
PID 1612 wrote to memory of 1792	1612	PO_2020-JANUGHU.exe	27
PID 1612 wrote to memory of 1772	1612	PO_2020-JANUGHU.exe	28
PID 1612 wrote to memory of 1772	1612	PO_2020-JANUGHU.exe	28
PID 1612 wrote to memory of 1772	1612	PO_2020-JANUGHU.exe	28
PID 1612 wrote to memory of 1772	1612	PO_2020-JANUGHU.exe	28
PID 1612 wrote to memory of 1856	1612	PO_2020-JANUGHU.exe	29
PID 1612 wrote to memory of 1856	1612	PO_2020-JANUGHU.exe	29
PID 1612 wrote to memory of 1856	1612	PO_2020-JANUGHU.exe	29
PID 1612 wrote to memory of 1856	1612	PO_2020-JANUGHU.exe	29
PID 1612 wrote to memory of 1864	1612	PO_2020-JANUGHU.exe	30
PID 1612 wrote to memory of 1864	1612	PO_2020-JANUGHU.exe	30
PID 1612 wrote to memory of 1864	1612	PO_2020-JANUGHU.exe	30
PID 1612 wrote to memory of 1864	1612	PO_2020-JANUGHU.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	PO_2020-JANUGHU.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
1532	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\PO_2020-JANUGHU.exe
"C:\Users\Admin\AppData\Local\Temp\PO_2020-JANUGHU.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1612
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\weHQlHIhGn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8EA7.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1532
- C:\Users\Admin\AppData\Local\Temp\PO_2020-JANUGHU.exe
  "{path}"
  2⤵
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\PO_2020-JANUGHU.exe
  "{path}"
  2⤵
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\PO_2020-JANUGHU.exe
  "{path}"
  2⤵
  PID:1772
- C:\Users\Admin\AppData\Local\Temp\PO_2020-JANUGHU.exe
  "{path}"
  2⤵
  PID:1856
- C:\Users\Admin\AppData\Local\Temp\PO_2020-JANUGHU.exe
  "{path}"
  2⤵
  PID:1864