99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7v20201028
submitted
20-11-2020 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORGANICUP ApS.exe
Size

641KB
MD5

d99f154e6358b247baf32a58b1d6f595
SHA1

0e53adf45cb616182c55c6e35ba68efe55aeaa9f
SHA256

99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48
SHA512

4514bae3b7340357f91f501ec72a94d04d4d868385fe20fdc6da2bc2a3bc1366423db9afd459c8d5185431fb02b8639ecc4210d6345867f741215ec17406bb56

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 1932	2024	ORGANICUP ApS.exe	29
PID 1932 set thread context of 2004	1932	ORGANICUP ApS.exe	30
PID 2004 set thread context of 336	2004	ORGANICUP ApS.exe	31
PID 580 set thread context of 1464	580	ORGANICUP ApS.exe	33
PID 1068 set thread context of 1512	1068	ORGANICUP ApS.exe	35
PID 1512 set thread context of 1604	1512	ORGANICUP ApS.exe	36
PID 1604 set thread context of 1720	1604	ORGANICUP ApS.exe	37
PID 1328 set thread context of 1680	1328	ORGANICUP ApS.exe	42

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1932	ORGANICUP ApS.exe
1512	ORGANICUP ApS.exe
1328	ORGANICUP ApS.exe
1328	ORGANICUP ApS.exe
1328	ORGANICUP ApS.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2004	ORGANICUP ApS.exe
1604	ORGANICUP ApS.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	ORGANICUP ApS.exe
Token: SeDebugPrivilege	580	ORGANICUP ApS.exe
Token: SeDebugPrivilege	1068	ORGANICUP ApS.exe
Token: SeDebugPrivilege	1328	ORGANICUP ApS.exe

Suspicious use of WriteProcessMemory 141 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 2024 wrote to memory of 1932	2024	ORGANICUP ApS.exe	29
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 1932 wrote to memory of 2004	1932	ORGANICUP ApS.exe	30
PID 2004 wrote to memory of 336	2004	ORGANICUP ApS.exe	31
PID 2004 wrote to memory of 336	2004	ORGANICUP ApS.exe	31
PID 2004 wrote to memory of 336	2004	ORGANICUP ApS.exe	31
PID 2004 wrote to memory of 336	2004	ORGANICUP ApS.exe	31
PID 1932 wrote to memory of 580	1932	ORGANICUP ApS.exe	32
PID 1932 wrote to memory of 580	1932	ORGANICUP ApS.exe	32
PID 1932 wrote to memory of 580	1932	ORGANICUP ApS.exe	32
PID 1932 wrote to memory of 580	1932	ORGANICUP ApS.exe	32
PID 1932 wrote to memory of 580	1932	ORGANICUP ApS.exe	32
PID 1932 wrote to memory of 580	1932	ORGANICUP ApS.exe	32
PID 1932 wrote to memory of 580	1932	ORGANICUP ApS.exe	32
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 580 wrote to memory of 1464	580	ORGANICUP ApS.exe	33
PID 1464 wrote to memory of 1068	1464	ORGANICUP ApS.exe	34
PID 1464 wrote to memory of 1068	1464	ORGANICUP ApS.exe	34
PID 1464 wrote to memory of 1068	1464	ORGANICUP ApS.exe	34
PID 1464 wrote to memory of 1068	1464	ORGANICUP ApS.exe	34
PID 1464 wrote to memory of 1068	1464	ORGANICUP ApS.exe	34
PID 1464 wrote to memory of 1068	1464	ORGANICUP ApS.exe	34
PID 1464 wrote to memory of 1068	1464	ORGANICUP ApS.exe	34
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1068 wrote to memory of 1512	1068	ORGANICUP ApS.exe	35
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1512 wrote to memory of 1604	1512	ORGANICUP ApS.exe	36
PID 1604 wrote to memory of 1720	1604	ORGANICUP ApS.exe	37
PID 1604 wrote to memory of 1720	1604	ORGANICUP ApS.exe	37
PID 1604 wrote to memory of 1720	1604	ORGANICUP ApS.exe	37
PID 1604 wrote to memory of 1720	1604	ORGANICUP ApS.exe	37
PID 1512 wrote to memory of 1328	1512	ORGANICUP ApS.exe	38
PID 1512 wrote to memory of 1328	1512	ORGANICUP ApS.exe	38
PID 1512 wrote to memory of 1328	1512	ORGANICUP ApS.exe	38
PID 1512 wrote to memory of 1328	1512	ORGANICUP ApS.exe	38
PID 1512 wrote to memory of 1328	1512	ORGANICUP ApS.exe	38
PID 1512 wrote to memory of 1328	1512	ORGANICUP ApS.exe	38
PID 1512 wrote to memory of 1328	1512	ORGANICUP ApS.exe	38
PID 1328 wrote to memory of 2012	1328	ORGANICUP ApS.exe	39
PID 1328 wrote to memory of 2012	1328	ORGANICUP ApS.exe	39
PID 1328 wrote to memory of 2012	1328	ORGANICUP ApS.exe	39
PID 1328 wrote to memory of 2012	1328	ORGANICUP ApS.exe	39
PID 1328 wrote to memory of 2012	1328	ORGANICUP ApS.exe	39
PID 1328 wrote to memory of 2012	1328	ORGANICUP ApS.exe	39
PID 1328 wrote to memory of 2012	1328	ORGANICUP ApS.exe	39
PID 1328 wrote to memory of 436	1328	ORGANICUP ApS.exe	40
PID 1328 wrote to memory of 436	1328	ORGANICUP ApS.exe	40
PID 1328 wrote to memory of 436	1328	ORGANICUP ApS.exe	40
PID 1328 wrote to memory of 436	1328	ORGANICUP ApS.exe	40
PID 1328 wrote to memory of 436	1328	ORGANICUP ApS.exe	40
PID 1328 wrote to memory of 436	1328	ORGANICUP ApS.exe	40
PID 1328 wrote to memory of 436	1328	ORGANICUP ApS.exe	40
PID 1328 wrote to memory of 1624	1328	ORGANICUP ApS.exe	41
PID 1328 wrote to memory of 1624	1328	ORGANICUP ApS.exe	41
PID 1328 wrote to memory of 1624	1328	ORGANICUP ApS.exe	41
PID 1328 wrote to memory of 1624	1328	ORGANICUP ApS.exe	41
PID 1328 wrote to memory of 1624	1328	ORGANICUP ApS.exe	41
PID 1328 wrote to memory of 1624	1328	ORGANICUP ApS.exe	41
PID 1328 wrote to memory of 1624	1328	ORGANICUP ApS.exe	41
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1328 wrote to memory of 1680	1328	ORGANICUP ApS.exe	42
PID 1680 wrote to memory of 408	1680	ORGANICUP ApS.exe	43
PID 1680 wrote to memory of 408	1680	ORGANICUP ApS.exe	43
PID 1680 wrote to memory of 408	1680	ORGANICUP ApS.exe	43
PID 1680 wrote to memory of 408	1680	ORGANICUP ApS.exe	43
PID 1680 wrote to memory of 408	1680	ORGANICUP ApS.exe	43
PID 1680 wrote to memory of 408	1680	ORGANICUP ApS.exe	43
PID 1680 wrote to memory of 408	1680	ORGANICUP ApS.exe	43

C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
"C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
  "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
    "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      PID:336
- - C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
    "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
      "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1604
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        8⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        8⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        8⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        8⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        8⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        9⤵
        
        PID:408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-11-0x0000000000080000-0x000000000008F000-memory.dmp

Filesize
60KB

Download
memory/408-60-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/580-19-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/580-18-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1068-30-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/1328-48-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1512-43-0x00000000027D0000-0x00000000027E1000-memory.dmp

Filesize
68KB

Download
memory/1512-42-0x00000000023C0000-0x00000000023D1000-memory.dmp

Filesize
68KB

Download
memory/1604-52-0x0000000000180000-0x000000000018F000-memory.dmp

Filesize
60KB

Download
memory/1720-41-0x0000000000080000-0x000000000008F000-memory.dmp

Filesize
60KB

Download
memory/1932-15-0x0000000002150000-0x0000000002161000-memory.dmp

Filesize
68KB

Download
memory/1932-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1932-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1932-13-0x0000000002560000-0x0000000002571000-memory.dmp

Filesize
68KB

Download
memory/1932-12-0x0000000002150000-0x0000000002161000-memory.dmp

Filesize
68KB

Download
memory/2004-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2024-4-0x00000000047F0000-0x000000000483A000-memory.dmp

Filesize
296KB

Download
memory/2024-5-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2024-0-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-3-0x0000000001F50000-0x0000000001FE4000-memory.dmp

Filesize
592KB

Download
memory/2024-1-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download