99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48

Analysis

max time kernel
143s
max time network
113s
platform
windows10_x64
resource
win10v20201028
submitted
20-11-2020 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORGANICUP ApS.exe
Size

641KB
MD5

d99f154e6358b247baf32a58b1d6f595
SHA1

0e53adf45cb616182c55c6e35ba68efe55aeaa9f
SHA256

99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48
SHA512

4514bae3b7340357f91f501ec72a94d04d4d868385fe20fdc6da2bc2a3bc1366423db9afd459c8d5185431fb02b8639ecc4210d6345867f741215ec17406bb56

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 500 set thread context of 3380	500	ORGANICUP ApS.exe	78
PID 3380 set thread context of 196	3380	ORGANICUP ApS.exe	79
PID 196 set thread context of 1320	196	ORGANICUP ApS.exe	80
PID 3844 set thread context of 4064	3844	ORGANICUP ApS.exe	82
PID 2080 set thread context of 3988	2080	ORGANICUP ApS.exe	84
PID 3988 set thread context of 716	3988	ORGANICUP ApS.exe	85
PID 716 set thread context of 2844	716	ORGANICUP ApS.exe	86
PID 3928 set thread context of 3880	3928	ORGANICUP ApS.exe	89
PID 3880 set thread context of 3692	3880	ORGANICUP ApS.exe	90
PID 3692 set thread context of 2136	3692	ORGANICUP ApS.exe	91

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3380	ORGANICUP ApS.exe
3380	ORGANICUP ApS.exe
3988	ORGANICUP ApS.exe
3988	ORGANICUP ApS.exe
3928	ORGANICUP ApS.exe
3928	ORGANICUP ApS.exe
3880	ORGANICUP ApS.exe
3880	ORGANICUP ApS.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
196	ORGANICUP ApS.exe
716	ORGANICUP ApS.exe
3692	ORGANICUP ApS.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	500	ORGANICUP ApS.exe
Token: SeDebugPrivilege	3844	ORGANICUP ApS.exe
Token: SeDebugPrivilege	2080	ORGANICUP ApS.exe
Token: SeDebugPrivilege	3928	ORGANICUP ApS.exe

Suspicious use of WriteProcessMemory 94 IoCs

description	pid	Process	procid_target
PID 500 wrote to memory of 3380	500	ORGANICUP ApS.exe	78
PID 500 wrote to memory of 3380	500	ORGANICUP ApS.exe	78
PID 500 wrote to memory of 3380	500	ORGANICUP ApS.exe	78
PID 500 wrote to memory of 3380	500	ORGANICUP ApS.exe	78
PID 500 wrote to memory of 3380	500	ORGANICUP ApS.exe	78
PID 500 wrote to memory of 3380	500	ORGANICUP ApS.exe	78
PID 500 wrote to memory of 3380	500	ORGANICUP ApS.exe	78
PID 500 wrote to memory of 3380	500	ORGANICUP ApS.exe	78
PID 500 wrote to memory of 3380	500	ORGANICUP ApS.exe	78
PID 500 wrote to memory of 3380	500	ORGANICUP ApS.exe	78
PID 3380 wrote to memory of 196	3380	ORGANICUP ApS.exe	79
PID 3380 wrote to memory of 196	3380	ORGANICUP ApS.exe	79
PID 3380 wrote to memory of 196	3380	ORGANICUP ApS.exe	79
PID 3380 wrote to memory of 196	3380	ORGANICUP ApS.exe	79
PID 3380 wrote to memory of 196	3380	ORGANICUP ApS.exe	79
PID 3380 wrote to memory of 196	3380	ORGANICUP ApS.exe	79
PID 3380 wrote to memory of 196	3380	ORGANICUP ApS.exe	79
PID 3380 wrote to memory of 196	3380	ORGANICUP ApS.exe	79
PID 3380 wrote to memory of 196	3380	ORGANICUP ApS.exe	79
PID 3380 wrote to memory of 196	3380	ORGANICUP ApS.exe	79
PID 196 wrote to memory of 1320	196	ORGANICUP ApS.exe	80
PID 196 wrote to memory of 1320	196	ORGANICUP ApS.exe	80
PID 196 wrote to memory of 1320	196	ORGANICUP ApS.exe	80
PID 3380 wrote to memory of 3844	3380	ORGANICUP ApS.exe	81
PID 3380 wrote to memory of 3844	3380	ORGANICUP ApS.exe	81
PID 3380 wrote to memory of 3844	3380	ORGANICUP ApS.exe	81
PID 3844 wrote to memory of 4064	3844	ORGANICUP ApS.exe	82
PID 3844 wrote to memory of 4064	3844	ORGANICUP ApS.exe	82
PID 3844 wrote to memory of 4064	3844	ORGANICUP ApS.exe	82
PID 3844 wrote to memory of 4064	3844	ORGANICUP ApS.exe	82
PID 3844 wrote to memory of 4064	3844	ORGANICUP ApS.exe	82
PID 3844 wrote to memory of 4064	3844	ORGANICUP ApS.exe	82
PID 3844 wrote to memory of 4064	3844	ORGANICUP ApS.exe	82
PID 3844 wrote to memory of 4064	3844	ORGANICUP ApS.exe	82
PID 3844 wrote to memory of 4064	3844	ORGANICUP ApS.exe	82
PID 3844 wrote to memory of 4064	3844	ORGANICUP ApS.exe	82
PID 4064 wrote to memory of 2080	4064	ORGANICUP ApS.exe	83
PID 4064 wrote to memory of 2080	4064	ORGANICUP ApS.exe	83
PID 4064 wrote to memory of 2080	4064	ORGANICUP ApS.exe	83
PID 2080 wrote to memory of 3988	2080	ORGANICUP ApS.exe	84
PID 2080 wrote to memory of 3988	2080	ORGANICUP ApS.exe	84
PID 2080 wrote to memory of 3988	2080	ORGANICUP ApS.exe	84
PID 2080 wrote to memory of 3988	2080	ORGANICUP ApS.exe	84
PID 2080 wrote to memory of 3988	2080	ORGANICUP ApS.exe	84
PID 2080 wrote to memory of 3988	2080	ORGANICUP ApS.exe	84
PID 2080 wrote to memory of 3988	2080	ORGANICUP ApS.exe	84
PID 2080 wrote to memory of 3988	2080	ORGANICUP ApS.exe	84
PID 2080 wrote to memory of 3988	2080	ORGANICUP ApS.exe	84
PID 2080 wrote to memory of 3988	2080	ORGANICUP ApS.exe	84
PID 3988 wrote to memory of 716	3988	ORGANICUP ApS.exe	85
PID 3988 wrote to memory of 716	3988	ORGANICUP ApS.exe	85
PID 3988 wrote to memory of 716	3988	ORGANICUP ApS.exe	85
PID 3988 wrote to memory of 716	3988	ORGANICUP ApS.exe	85
PID 3988 wrote to memory of 716	3988	ORGANICUP ApS.exe	85
PID 3988 wrote to memory of 716	3988	ORGANICUP ApS.exe	85
PID 3988 wrote to memory of 716	3988	ORGANICUP ApS.exe	85
PID 3988 wrote to memory of 716	3988	ORGANICUP ApS.exe	85
PID 3988 wrote to memory of 716	3988	ORGANICUP ApS.exe	85
PID 3988 wrote to memory of 716	3988	ORGANICUP ApS.exe	85
PID 716 wrote to memory of 2844	716	ORGANICUP ApS.exe	86
PID 716 wrote to memory of 2844	716	ORGANICUP ApS.exe	86
PID 716 wrote to memory of 2844	716	ORGANICUP ApS.exe	86
PID 3988 wrote to memory of 3928	3988	ORGANICUP ApS.exe	87
PID 3988 wrote to memory of 3928	3988	ORGANICUP ApS.exe	87
PID 3988 wrote to memory of 3928	3988	ORGANICUP ApS.exe	87
PID 3928 wrote to memory of 2372	3928	ORGANICUP ApS.exe	88
PID 3928 wrote to memory of 2372	3928	ORGANICUP ApS.exe	88
PID 3928 wrote to memory of 2372	3928	ORGANICUP ApS.exe	88
PID 3928 wrote to memory of 3880	3928	ORGANICUP ApS.exe	89
PID 3928 wrote to memory of 3880	3928	ORGANICUP ApS.exe	89
PID 3928 wrote to memory of 3880	3928	ORGANICUP ApS.exe	89
PID 3928 wrote to memory of 3880	3928	ORGANICUP ApS.exe	89
PID 3928 wrote to memory of 3880	3928	ORGANICUP ApS.exe	89
PID 3928 wrote to memory of 3880	3928	ORGANICUP ApS.exe	89
PID 3928 wrote to memory of 3880	3928	ORGANICUP ApS.exe	89
PID 3928 wrote to memory of 3880	3928	ORGANICUP ApS.exe	89
PID 3928 wrote to memory of 3880	3928	ORGANICUP ApS.exe	89
PID 3928 wrote to memory of 3880	3928	ORGANICUP ApS.exe	89
PID 3880 wrote to memory of 3692	3880	ORGANICUP ApS.exe	90
PID 3880 wrote to memory of 3692	3880	ORGANICUP ApS.exe	90
PID 3880 wrote to memory of 3692	3880	ORGANICUP ApS.exe	90
PID 3880 wrote to memory of 3692	3880	ORGANICUP ApS.exe	90
PID 3880 wrote to memory of 3692	3880	ORGANICUP ApS.exe	90
PID 3880 wrote to memory of 3692	3880	ORGANICUP ApS.exe	90
PID 3880 wrote to memory of 3692	3880	ORGANICUP ApS.exe	90
PID 3880 wrote to memory of 3692	3880	ORGANICUP ApS.exe	90
PID 3880 wrote to memory of 3692	3880	ORGANICUP ApS.exe	90
PID 3880 wrote to memory of 3692	3880	ORGANICUP ApS.exe	90
PID 3692 wrote to memory of 2136	3692	ORGANICUP ApS.exe	91
PID 3692 wrote to memory of 2136	3692	ORGANICUP ApS.exe	91
PID 3692 wrote to memory of 2136	3692	ORGANICUP ApS.exe	91
PID 3880 wrote to memory of 424	3880	ORGANICUP ApS.exe	92
PID 3880 wrote to memory of 424	3880	ORGANICUP ApS.exe	92
PID 3880 wrote to memory of 424	3880	ORGANICUP ApS.exe	92

C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
"C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:500
- C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
  "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
    "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:196
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      PID:1320
- - C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
    "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
      "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        8⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        8⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3692
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        10⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGANICUP ApS.exe"
        9⤵
        
        PID:424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/424-60-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/500-1-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/500-3-0x0000000004A90000-0x0000000004B24000-memory.dmp

Filesize
592KB

Download
memory/500-4-0x0000000004E20000-0x0000000004E6A000-memory.dmp

Filesize
296KB

Download
memory/500-5-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/500-0-0x0000000073560000-0x0000000073C4E000-memory.dmp

Filesize
6.9MB

Download
memory/716-47-0x0000000000FF0000-0x0000000000FFF000-memory.dmp

Filesize
60KB

Download
memory/1320-11-0x0000000000310000-0x000000000031F000-memory.dmp

Filesize
60KB

Download
memory/2080-28-0x0000000073600000-0x0000000073CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2136-56-0x00000000012B0000-0x00000000012BF000-memory.dmp

Filesize
60KB

Download
memory/2844-39-0x00000000008D0000-0x00000000008DF000-memory.dmp

Filesize
60KB

Download
memory/3380-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3380-12-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/3380-13-0x0000000003F30000-0x0000000003F31000-memory.dmp

Filesize
4KB

Download
memory/3380-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3844-16-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/3880-53-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3880-57-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3880-58-0x0000000003E50000-0x0000000003E51000-memory.dmp

Filesize
4KB

Download
memory/3928-43-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/3988-41-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/3988-40-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/3988-36-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4064-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download