430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9

Resubmissions

06-04-2021 16:38

210406-pa5tpj4bra 8

05-04-2021 09:13

210405-ald3l915jn 10

Analysis

max time kernel
62s
max time network
57s
platform
windows7_x64
resource
win7v20201028
submitted
06-04-2021 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

updated.exe
Size

5.1MB
MD5

e3749a1c5284b28ad7ded54ed747b6e0
SHA1

c516f5af4ab59ec6750ac86d11f06ee1dd47a1dd
SHA256

430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9
SHA512

acd1911e755d715b7c96ea278a6f4ea039884a85ac230913b1bd85b3f1ab6e322d9cbe9e9869a4c9eeeb5460ebeca9591b5e64d48789ded45d8bc0168ec22bb4

Score

1^/10

Malware Config

Signatures

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Kills process with taskkill 15 IoCs

evasion

pid	Process
1684	taskkill.exe
1696	taskkill.exe
2096	taskkill.exe
1928	taskkill.exe
1976	taskkill.exe
1948	taskkill.exe
1040	taskkill.exe
1660	taskkill.exe
1792	taskkill.exe
1316	taskkill.exe
2168	taskkill.exe
2240	taskkill.exe
1096	taskkill.exe
1284	taskkill.exe
952	taskkill.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	2096	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 1360	1616	updated.exe	29
PID 1616 wrote to memory of 1360	1616	updated.exe	29
PID 1616 wrote to memory of 1360	1616	updated.exe	29
PID 1616 wrote to memory of 1360	1616	updated.exe	29
PID 1616 wrote to memory of 1360	1616	updated.exe	29
PID 1616 wrote to memory of 1360	1616	updated.exe	29
PID 1616 wrote to memory of 1360	1616	updated.exe	29
PID 1616 wrote to memory of 1660	1616	updated.exe	31
PID 1616 wrote to memory of 1660	1616	updated.exe	31
PID 1616 wrote to memory of 1660	1616	updated.exe	31
PID 1616 wrote to memory of 1660	1616	updated.exe	31
PID 1616 wrote to memory of 1660	1616	updated.exe	31
PID 1616 wrote to memory of 1660	1616	updated.exe	31
PID 1616 wrote to memory of 1660	1616	updated.exe	31
PID 1616 wrote to memory of 1684	1616	updated.exe	33
PID 1616 wrote to memory of 1684	1616	updated.exe	33
PID 1616 wrote to memory of 1684	1616	updated.exe	33
PID 1616 wrote to memory of 1684	1616	updated.exe	33
PID 1616 wrote to memory of 1684	1616	updated.exe	33
PID 1616 wrote to memory of 1684	1616	updated.exe	33
PID 1616 wrote to memory of 1684	1616	updated.exe	33
PID 1616 wrote to memory of 1096	1616	updated.exe	34
PID 1616 wrote to memory of 1096	1616	updated.exe	34
PID 1616 wrote to memory of 1096	1616	updated.exe	34
PID 1616 wrote to memory of 1096	1616	updated.exe	34
PID 1616 wrote to memory of 1096	1616	updated.exe	34
PID 1616 wrote to memory of 1096	1616	updated.exe	34
PID 1616 wrote to memory of 1096	1616	updated.exe	34
PID 1616 wrote to memory of 1284	1616	updated.exe	36
PID 1616 wrote to memory of 1284	1616	updated.exe	36
PID 1616 wrote to memory of 1284	1616	updated.exe	36
PID 1616 wrote to memory of 1284	1616	updated.exe	36
PID 1616 wrote to memory of 1284	1616	updated.exe	36
PID 1616 wrote to memory of 1284	1616	updated.exe	36
PID 1616 wrote to memory of 1284	1616	updated.exe	36
PID 1616 wrote to memory of 1696	1616	updated.exe	39
PID 1616 wrote to memory of 1696	1616	updated.exe	39
PID 1616 wrote to memory of 1696	1616	updated.exe	39
PID 1616 wrote to memory of 1696	1616	updated.exe	39
PID 1616 wrote to memory of 1696	1616	updated.exe	39
PID 1616 wrote to memory of 1696	1616	updated.exe	39
PID 1616 wrote to memory of 1696	1616	updated.exe	39
PID 1616 wrote to memory of 1928	1616	updated.exe	41
PID 1616 wrote to memory of 1928	1616	updated.exe	41
PID 1616 wrote to memory of 1928	1616	updated.exe	41
PID 1616 wrote to memory of 1928	1616	updated.exe	41
PID 1616 wrote to memory of 1928	1616	updated.exe	41
PID 1616 wrote to memory of 1928	1616	updated.exe	41
PID 1616 wrote to memory of 1928	1616	updated.exe	41
PID 1616 wrote to memory of 1976	1616	updated.exe	43
PID 1616 wrote to memory of 1976	1616	updated.exe	43
PID 1616 wrote to memory of 1976	1616	updated.exe	43
PID 1616 wrote to memory of 1976	1616	updated.exe	43
PID 1616 wrote to memory of 1976	1616	updated.exe	43
PID 1616 wrote to memory of 1976	1616	updated.exe	43
PID 1616 wrote to memory of 1976	1616	updated.exe	43
PID 1616 wrote to memory of 1948	1616	updated.exe	46
PID 1616 wrote to memory of 1948	1616	updated.exe	46
PID 1616 wrote to memory of 1948	1616	updated.exe	46
PID 1616 wrote to memory of 1948	1616	updated.exe	46
PID 1616 wrote to memory of 1948	1616	updated.exe	46
PID 1616 wrote to memory of 1948	1616	updated.exe	46
PID 1616 wrote to memory of 1948	1616	updated.exe	46
PID 1616 wrote to memory of 1040	1616	updated.exe	48

C:\Users\Admin\AppData\Local\Temp\updated.exe
"C:\Users\Admin\AppData\Local\Temp\updated.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\mode.com
  mode con cp select=125 vssadmin delete shadows /all
  2⤵
  PID:1360
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im msaccess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqlagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im mspub.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im ocssd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im tbirdconfig.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqlbrowser.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im mydesktopqos.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im dbsnmp.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im thebat64.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im thunderdird.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqbcoreservice.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im encsvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im winword.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im dbeng50.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im ocomm.exe
  2⤵
  - Kills process with taskkill
  PID:2240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-3-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/1616-2-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download