f56d7d52023e3a3dd1f6b2c2dc31b11a509d6175ca1385459bcc1cf4a67c9c2f

General

Target

CsdMVmZguofylUZ.exe
Size

1.3MB
MD5

2d507b5e2fd52bec7caa8081957a6851
SHA1

acdae484c8e11ac973860b17d408f102f1f7ac30
SHA256

f56d7d52023e3a3dd1f6b2c2dc31b11a509d6175ca1385459bcc1cf4a67c9c2f
SHA512

e702597e7c138f33105ba1cf6fe9c423e38d9096956ac60977060aae9afff66daf3fb2e5c6a64a1c240c9a756000630c6b7cbd50121dfb2af65ac89c9ed65562

Score

1^/10

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1800	1296	CsdMVmZguofylUZ.exe	26
PID 1296 wrote to memory of 1800	1296	CsdMVmZguofylUZ.exe	26
PID 1296 wrote to memory of 1800	1296	CsdMVmZguofylUZ.exe	26
PID 1296 wrote to memory of 1800	1296	CsdMVmZguofylUZ.exe	26
PID 1296 wrote to memory of 1772	1296	CsdMVmZguofylUZ.exe	28
PID 1296 wrote to memory of 1772	1296	CsdMVmZguofylUZ.exe	28
PID 1296 wrote to memory of 1772	1296	CsdMVmZguofylUZ.exe	28
PID 1296 wrote to memory of 1772	1296	CsdMVmZguofylUZ.exe	28
PID 1296 wrote to memory of 1784	1296	CsdMVmZguofylUZ.exe	29
PID 1296 wrote to memory of 1784	1296	CsdMVmZguofylUZ.exe	29
PID 1296 wrote to memory of 1784	1296	CsdMVmZguofylUZ.exe	29
PID 1296 wrote to memory of 1784	1296	CsdMVmZguofylUZ.exe	29
PID 1296 wrote to memory of 1776	1296	CsdMVmZguofylUZ.exe	30
PID 1296 wrote to memory of 1776	1296	CsdMVmZguofylUZ.exe	30
PID 1296 wrote to memory of 1776	1296	CsdMVmZguofylUZ.exe	30
PID 1296 wrote to memory of 1776	1296	CsdMVmZguofylUZ.exe	30
PID 1296 wrote to memory of 516	1296	CsdMVmZguofylUZ.exe	31
PID 1296 wrote to memory of 516	1296	CsdMVmZguofylUZ.exe	31
PID 1296 wrote to memory of 516	1296	CsdMVmZguofylUZ.exe	31
PID 1296 wrote to memory of 516	1296	CsdMVmZguofylUZ.exe	31
PID 1296 wrote to memory of 268	1296	CsdMVmZguofylUZ.exe	32
PID 1296 wrote to memory of 268	1296	CsdMVmZguofylUZ.exe	32
PID 1296 wrote to memory of 268	1296	CsdMVmZguofylUZ.exe	32
PID 1296 wrote to memory of 268	1296	CsdMVmZguofylUZ.exe	32

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1296	CsdMVmZguofylUZ.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
1800	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\CsdMVmZguofylUZ.exe
"C:\Users\Admin\AppData\Local\Temp\CsdMVmZguofylUZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1296
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HgDnVyl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE4F.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\CsdMVmZguofylUZ.exe
  "{path}"
  2⤵
  PID:1772
- C:\Users\Admin\AppData\Local\Temp\CsdMVmZguofylUZ.exe
  "{path}"
  2⤵
  PID:1784
- C:\Users\Admin\AppData\Local\Temp\CsdMVmZguofylUZ.exe
  "{path}"
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\CsdMVmZguofylUZ.exe
  "{path}"
  2⤵
  PID:516
- C:\Users\Admin\AppData\Local\Temp\CsdMVmZguofylUZ.exe
  "{path}"
  2⤵
  PID:268