430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9

General

Target

updated.exe
Size

5.1MB
MD5

e3749a1c5284b28ad7ded54ed747b6e0
SHA1

c516f5af4ab59ec6750ac86d11f06ee1dd47a1dd
SHA256

430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9
SHA512

acd1911e755d715b7c96ea278a6f4ea039884a85ac230913b1bd85b3f1ab6e322d9cbe9e9869a4c9eeeb5460ebeca9591b5e64d48789ded45d8bc0168ec22bb4

Score

1^/10

Malware Config

Signatures

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 3 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Kills process with taskkill 25 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
928	taskkill.exe
616	taskkill.exe
1624	taskkill.exe
1292	taskkill.exe
544	taskkill.exe
1592	taskkill.exe
1656	taskkill.exe
912	taskkill.exe
732	taskkill.exe
1468	taskkill.exe
516	taskkill.exe
1800	taskkill.exe
668	taskkill.exe
1028	taskkill.exe
260	taskkill.exe
2120	taskkill.exe
2164	taskkill.exe
2264	taskkill.exe
916	taskkill.exe
556	taskkill.exe
1460	taskkill.exe
1560	taskkill.exe
428	taskkill.exe
2068	taskkill.exe
2204	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	928	taskkill.exe
Token: SeDebugPrivilege	732	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

updated.exe

description	pid	process	target process
PID 1020 wrote to memory of 1016	1020	updated.exe	mode.com
PID 1020 wrote to memory of 1016	1020	updated.exe	mode.com
PID 1020 wrote to memory of 1016	1020	updated.exe	mode.com
PID 1020 wrote to memory of 1016	1020	updated.exe	mode.com
PID 1020 wrote to memory of 1016	1020	updated.exe	mode.com
PID 1020 wrote to memory of 1016	1020	updated.exe	mode.com
PID 1020 wrote to memory of 1016	1020	updated.exe	mode.com
PID 1020 wrote to memory of 928	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 928	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 928	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 928	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 928	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 928	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 928	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 544	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 544	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 544	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 544	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 544	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 544	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 544	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 616	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 616	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 616	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 616	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 616	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 616	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 616	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1624	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1624	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1624	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1624	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1624	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1624	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1624	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 916	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 916	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 916	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 916	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 916	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 916	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 916	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 668	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 668	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 668	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 668	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 668	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 668	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 668	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1592	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1592	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1592	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1592	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1592	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1592	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1592	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1656	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1656	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1656	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1656	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1656	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1656	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1656	1020	updated.exe	taskkill.exe
PID 1020 wrote to memory of 1028	1020	updated.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\updated.exe
"C:\Users\Admin\AppData\Local\Temp\updated.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\mode.com
mode con cp select=125 vssadmin delete shadows /all
2⤵
PID:1016

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im msaccess.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im sqlagent.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im mspub.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im ocssd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im tbirdconfig.exe
2⤵
- Kills process with taskkill
PID:916

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im sqlbrowser.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im mydesktopqos.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im dbsnmp.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im thebat64.exe
2⤵
- Kills process with taskkill
PID:1028

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im thunderdird.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im sqbcoreservice.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im encsvc.exe
2⤵
- Kills process with taskkill
PID:556

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im winword.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im dbeng50.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im ocomm.exe
2⤵
- Kills process with taskkill
PID:1468

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im ocautoupds.exe
2⤵
- Kills process with taskkill
PID:260

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im visio.exe
2⤵
- Kills process with taskkill
PID:516

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im firefoxconfig.exe
2⤵
- Kills process with taskkill
PID:1292

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im sqlservr.exe
2⤵
- Kills process with taskkill
PID:1800

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im infopath.exe
2⤵
- Kills process with taskkill
PID:428

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im thebat.exe
2⤵
- Kills process with taskkill
PID:2068

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im excel.exe
2⤵
- Kills process with taskkill
PID:2120

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im outlook.exe
2⤵
- Kills process with taskkill
PID:2164

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im mysqld.exe
2⤵
- Kills process with taskkill
PID:2204

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im notepad.exe
2⤵
- Kills process with taskkill
PID:2264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-39-0x0000000000000000-mapping.dmp

Download
memory/428-45-0x0000000000000000-mapping.dmp

Download
memory/516-40-0x0000000000000000-mapping.dmp

Download
memory/544-12-0x0000000000000000-mapping.dmp

Download
memory/556-31-0x0000000000000000-mapping.dmp

Download
memory/616-13-0x0000000000000000-mapping.dmp

Download
memory/668-16-0x0000000000000000-mapping.dmp

Download
memory/732-28-0x0000000000000000-mapping.dmp

Download
memory/912-27-0x0000000000000000-mapping.dmp

Download
memory/916-15-0x0000000000000000-mapping.dmp

Download
memory/928-11-0x0000000000000000-mapping.dmp

Download
memory/1016-9-0x0000000000000000-mapping.dmp

Download
memory/1020-2-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1020-3-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/1028-26-0x0000000000000000-mapping.dmp

Download
memory/1292-42-0x0000000000000000-mapping.dmp

Download
memory/1460-32-0x0000000000000000-mapping.dmp

Download
memory/1468-36-0x0000000000000000-mapping.dmp

Download
memory/1560-33-0x0000000000000000-mapping.dmp

Download
memory/1592-17-0x0000000000000000-mapping.dmp

Download
memory/1624-14-0x0000000000000000-mapping.dmp

Download
memory/1656-25-0x0000000000000000-mapping.dmp

Download
memory/1800-43-0x0000000000000000-mapping.dmp

Download
memory/2068-46-0x0000000000000000-mapping.dmp

Download
memory/2120-49-0x0000000000000000-mapping.dmp

Download
memory/2164-51-0x0000000000000000-mapping.dmp

Download
memory/2204-53-0x0000000000000000-mapping.dmp

Download
memory/2264-55-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads