430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9

Resubmissions

06-04-2021 16:38

210406-pa5tpj4bra 8

05-04-2021 09:13

210405-ald3l915jn 10

Analysis

max time kernel
61s
max time network
61s
platform
windows7_x64
resource
win7v20201028
submitted
05-04-2021 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

updated.exe
Size

5.1MB
MD5

e3749a1c5284b28ad7ded54ed747b6e0
SHA1

c516f5af4ab59ec6750ac86d11f06ee1dd47a1dd
SHA256

430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9
SHA512

acd1911e755d715b7c96ea278a6f4ea039884a85ac230913b1bd85b3f1ab6e322d9cbe9e9869a4c9eeeb5460ebeca9591b5e64d48789ded45d8bc0168ec22bb4

Score

1^/10

Malware Config

Signatures

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Kills process with taskkill 25 IoCs

evasion

pid	Process
928	taskkill.exe
616	taskkill.exe
1624	taskkill.exe
1292	taskkill.exe
544	taskkill.exe
1592	taskkill.exe
1656	taskkill.exe
912	taskkill.exe
732	taskkill.exe
1468	taskkill.exe
516	taskkill.exe
1800	taskkill.exe
668	taskkill.exe
1028	taskkill.exe
260	taskkill.exe
2120	taskkill.exe
2164	taskkill.exe
2264	taskkill.exe
916	taskkill.exe
556	taskkill.exe
1460	taskkill.exe
1560	taskkill.exe
428	taskkill.exe
2068	taskkill.exe
2204	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	928	taskkill.exe
Token: SeDebugPrivilege	732	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 1016	1020	updated.exe	30
PID 1020 wrote to memory of 1016	1020	updated.exe	30
PID 1020 wrote to memory of 1016	1020	updated.exe	30
PID 1020 wrote to memory of 1016	1020	updated.exe	30
PID 1020 wrote to memory of 1016	1020	updated.exe	30
PID 1020 wrote to memory of 1016	1020	updated.exe	30
PID 1020 wrote to memory of 1016	1020	updated.exe	30
PID 1020 wrote to memory of 928	1020	updated.exe	32
PID 1020 wrote to memory of 928	1020	updated.exe	32
PID 1020 wrote to memory of 928	1020	updated.exe	32
PID 1020 wrote to memory of 928	1020	updated.exe	32
PID 1020 wrote to memory of 928	1020	updated.exe	32
PID 1020 wrote to memory of 928	1020	updated.exe	32
PID 1020 wrote to memory of 928	1020	updated.exe	32
PID 1020 wrote to memory of 544	1020	updated.exe	33
PID 1020 wrote to memory of 544	1020	updated.exe	33
PID 1020 wrote to memory of 544	1020	updated.exe	33
PID 1020 wrote to memory of 544	1020	updated.exe	33
PID 1020 wrote to memory of 544	1020	updated.exe	33
PID 1020 wrote to memory of 544	1020	updated.exe	33
PID 1020 wrote to memory of 544	1020	updated.exe	33
PID 1020 wrote to memory of 616	1020	updated.exe	35
PID 1020 wrote to memory of 616	1020	updated.exe	35
PID 1020 wrote to memory of 616	1020	updated.exe	35
PID 1020 wrote to memory of 616	1020	updated.exe	35
PID 1020 wrote to memory of 616	1020	updated.exe	35
PID 1020 wrote to memory of 616	1020	updated.exe	35
PID 1020 wrote to memory of 616	1020	updated.exe	35
PID 1020 wrote to memory of 1624	1020	updated.exe	37
PID 1020 wrote to memory of 1624	1020	updated.exe	37
PID 1020 wrote to memory of 1624	1020	updated.exe	37
PID 1020 wrote to memory of 1624	1020	updated.exe	37
PID 1020 wrote to memory of 1624	1020	updated.exe	37
PID 1020 wrote to memory of 1624	1020	updated.exe	37
PID 1020 wrote to memory of 1624	1020	updated.exe	37
PID 1020 wrote to memory of 916	1020	updated.exe	40
PID 1020 wrote to memory of 916	1020	updated.exe	40
PID 1020 wrote to memory of 916	1020	updated.exe	40
PID 1020 wrote to memory of 916	1020	updated.exe	40
PID 1020 wrote to memory of 916	1020	updated.exe	40
PID 1020 wrote to memory of 916	1020	updated.exe	40
PID 1020 wrote to memory of 916	1020	updated.exe	40
PID 1020 wrote to memory of 668	1020	updated.exe	41
PID 1020 wrote to memory of 668	1020	updated.exe	41
PID 1020 wrote to memory of 668	1020	updated.exe	41
PID 1020 wrote to memory of 668	1020	updated.exe	41
PID 1020 wrote to memory of 668	1020	updated.exe	41
PID 1020 wrote to memory of 668	1020	updated.exe	41
PID 1020 wrote to memory of 668	1020	updated.exe	41
PID 1020 wrote to memory of 1592	1020	updated.exe	43
PID 1020 wrote to memory of 1592	1020	updated.exe	43
PID 1020 wrote to memory of 1592	1020	updated.exe	43
PID 1020 wrote to memory of 1592	1020	updated.exe	43
PID 1020 wrote to memory of 1592	1020	updated.exe	43
PID 1020 wrote to memory of 1592	1020	updated.exe	43
PID 1020 wrote to memory of 1592	1020	updated.exe	43
PID 1020 wrote to memory of 1656	1020	updated.exe	45
PID 1020 wrote to memory of 1656	1020	updated.exe	45
PID 1020 wrote to memory of 1656	1020	updated.exe	45
PID 1020 wrote to memory of 1656	1020	updated.exe	45
PID 1020 wrote to memory of 1656	1020	updated.exe	45
PID 1020 wrote to memory of 1656	1020	updated.exe	45
PID 1020 wrote to memory of 1656	1020	updated.exe	45
PID 1020 wrote to memory of 1028	1020	updated.exe	47

C:\Users\Admin\AppData\Local\Temp\updated.exe
"C:\Users\Admin\AppData\Local\Temp\updated.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SysWOW64\mode.com
  mode con cp select=125 vssadmin delete shadows /all
  2⤵
  PID:1016
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im msaccess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqlagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im mspub.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im ocssd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im tbirdconfig.exe
  2⤵
  - Kills process with taskkill
  PID:916
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqlbrowser.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im mydesktopqos.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im dbsnmp.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im thebat64.exe
  2⤵
  - Kills process with taskkill
  PID:1028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im thunderdird.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqbcoreservice.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:732
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im encsvc.exe
  2⤵
  - Kills process with taskkill
  PID:556
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im winword.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im dbeng50.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im ocomm.exe
  2⤵
  - Kills process with taskkill
  PID:1468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im ocautoupds.exe
  2⤵
  - Kills process with taskkill
  PID:260
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im visio.exe
  2⤵
  - Kills process with taskkill
  PID:516
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im firefoxconfig.exe
  2⤵
  - Kills process with taskkill
  PID:1292
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqlservr.exe
  2⤵
  - Kills process with taskkill
  PID:1800
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im infopath.exe
  2⤵
  - Kills process with taskkill
  PID:428
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im thebat.exe
  2⤵
  - Kills process with taskkill
  PID:2068
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im excel.exe
  2⤵
  - Kills process with taskkill
  PID:2120
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im outlook.exe
  2⤵
  - Kills process with taskkill
  PID:2164
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im mysqld.exe
  2⤵
  - Kills process with taskkill
  PID:2204
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im notepad.exe
  2⤵
  - Kills process with taskkill
  PID:2264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-2-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1020-3-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download