5accccfe8695d78110cc9c27d79d56ac280879a0d874bb46c42c2a8baf7fe972

General

Target

D3ccF8FfwAXrqsU.exe
Size

1.3MB
MD5

e1c803b57cb1c949b037251a3dbf7d7d
SHA1

efeaac6997f56acb90ed2d28bbcb66929b2002a8
SHA256

5accccfe8695d78110cc9c27d79d56ac280879a0d874bb46c42c2a8baf7fe972
SHA512

fa6a275fc96ff89570b0186a43a3ffddb4a8af49fe50a8cd8698088713fb66764721f7e2cd5d2fce7345fb07b9a68c6a5df89980228ce20a3056b74ec52b909e

Score

9^/10

Malware Config

Signatures

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/1240-63-0x0000000000450000-0x000000000045B000-memory.dmp	CustAttr

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

D3ccF8FfwAXrqsU.exe

pid process

1240 D3ccF8FfwAXrqsU.exe
1240 D3ccF8FfwAXrqsU.exe
1240 D3ccF8FfwAXrqsU.exe
1240 D3ccF8FfwAXrqsU.exe
1240 D3ccF8FfwAXrqsU.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

D3ccF8FfwAXrqsU.exe

description pid process

Token: SeDebugPrivilege 1240 D3ccF8FfwAXrqsU.exe

pid	process
1240	D3ccF8FfwAXrqsU.exe
1240	D3ccF8FfwAXrqsU.exe
1240	D3ccF8FfwAXrqsU.exe
1240	D3ccF8FfwAXrqsU.exe
1240	D3ccF8FfwAXrqsU.exe

description	pid	process
Token: SeDebugPrivilege	1240	D3ccF8FfwAXrqsU.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

D3ccF8FfwAXrqsU.exe

description	pid	process	target process
PID 1240 wrote to memory of 1308	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 1308	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 1308	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 1308	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 752	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 752	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 752	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 752	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 796	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 796	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 796	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 796	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 1768	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 1768	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 1768	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 1768	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 276	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 276	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 276	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe
PID 1240 wrote to memory of 276	1240	D3ccF8FfwAXrqsU.exe	D3ccF8FfwAXrqsU.exe

C:\Users\Admin\AppData\Local\Temp\D3ccF8FfwAXrqsU.exe
"C:\Users\Admin\AppData\Local\Temp\D3ccF8FfwAXrqsU.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\D3ccF8FfwAXrqsU.exe
"C:\Users\Admin\AppData\Local\Temp\D3ccF8FfwAXrqsU.exe"
2⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\D3ccF8FfwAXrqsU.exe
"C:\Users\Admin\AppData\Local\Temp\D3ccF8FfwAXrqsU.exe"
2⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\D3ccF8FfwAXrqsU.exe
"C:\Users\Admin\AppData\Local\Temp\D3ccF8FfwAXrqsU.exe"
2⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\D3ccF8FfwAXrqsU.exe
"C:\Users\Admin\AppData\Local\Temp\D3ccF8FfwAXrqsU.exe"
2⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\D3ccF8FfwAXrqsU.exe
"C:\Users\Admin\AppData\Local\Temp\D3ccF8FfwAXrqsU.exe"
2⤵
PID:276

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-60-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1240-62-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/1240-63-0x0000000000450000-0x000000000045B000-memory.dmp

Filesize
44KB

Download
memory/1240-64-0x0000000004520000-0x0000000004593000-memory.dmp

Filesize
460KB

Download
memory/1240-65-0x0000000000570000-0x000000000059E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads