Analysis
-
max time kernel
108s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 12:05
Static task
static1
Behavioral task
behavioral1
Sample
e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exe
Resource
win10-en-20211014
General
-
Target
e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exe
-
Size
190KB
-
MD5
c8b959ef2d758a41a5f152f69c92d925
-
SHA1
d7075192df45409fc111d642d861ce52a45cb2b1
-
SHA256
e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264
-
SHA512
d4717d0f74a7aec1e103c5152c49fee597366326578524b9adb5428dcd18112bfa10185a6e31d3070f8a9fce4d36daed0ee3be402987e7a29458cbcceecc42ea
Malware Config
Signatures
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exepid process 3488 e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exe 3488 e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exedescription pid process Token: SeDebugPrivilege 3488 e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exedescription pid process target process PID 3488 wrote to memory of 1524 3488 e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exe aspnet_compiler.exe PID 3488 wrote to memory of 1524 3488 e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exe aspnet_compiler.exe PID 3488 wrote to memory of 1524 3488 e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exe aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exe"C:\Users\Admin\AppData\Local\Temp\e02e5c6a19494f4f8db40abb8d287e69e36c52977da9ac8c2fb3ddda8afda264.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3488-118-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB
-
memory/3488-120-0x0000000000E60000-0x0000000000E62000-memory.dmpFilesize
8KB
-
memory/3488-121-0x0000000000B70000-0x0000000000B7A000-memory.dmpFilesize
40KB
-
memory/3488-122-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB