06cce4b7854749f9aecb85698eabfb3cee76b37fd345c97ba5071c2bb3978193

Reason

Remote task has failed: Machine shutdown

General

Target

MAN/Installer.exe
Size

1.6MB
MD5

8a1995805ad65999ec546a1074ac9887
SHA1

11d5589ca5ebb127ea57b89ee5da89e0b64fa4c6
SHA256

2040517dac0b553d4a589bb8c14ca4329022e0ce5e5d0ef0f2c08a2deb10fb5b
SHA512

cad4e187956e4db24d291ea725caf89439440eb97ebe9fa76438b76ada66ecc01a4143bf688c6506ec5148c79338e7f581305d2cb8ad17552c558c62706ae777

Score

9^/10

Malware Config

Signatures

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral3/memory/1756-64-0x0000000000580000-0x000000000058B000-memory.dmp	CustAttr

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Installer.exe

pid	process
1756	Installer.exe
1756	Installer.exe
1756	Installer.exe
1756	Installer.exe
1756	Installer.exe
1756	Installer.exe
1756	Installer.exe
1756	Installer.exe
1756	Installer.exe
1756	Installer.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Installer.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1756	Installer.exe
Token: 33	756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	756	AUDIODG.EXE
Token: 33	756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	756	AUDIODG.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Installer.exe

description	pid	process	target process
PID 1756 wrote to memory of 676	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 676	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 676	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 676	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 676	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 676	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 676	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 904	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 904	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 904	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 904	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 904	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 904	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 904	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 932	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 932	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 932	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 932	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 932	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 932	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 932	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 368	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 368	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 368	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 368	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 368	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 368	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 368	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 1604	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 1604	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 1604	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 1604	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 1604	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 1604	1756	Installer.exe	Installer.exe
PID 1756 wrote to memory of 1604	1756	Installer.exe	Installer.exe

C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe"
2⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe"
2⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe"
2⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe"
2⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe"
2⤵
PID:1604

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1196

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1572

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-67-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

Filesize
8KB

Download
memory/1196-68-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1572-70-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1756-60-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1756-61-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1756-63-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1756-64-0x0000000000580000-0x000000000058B000-memory.dmp

Filesize
44KB

Download
memory/1756-65-0x0000000004FF0000-0x0000000005077000-memory.dmp

Filesize
540KB

Download
memory/1756-66-0x0000000000AC0000-0x0000000000ADC000-memory.dmp

Filesize
112KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads