d4ee80500d9c280e85b290b467592a5910e9d4ee127cfda17ad40467b2c88942 | Triage

Analysis

max time kernel
110s
max time network
125s
platform
windows10_x64
resource
win10-en-20210920
submitted
26-10-2021 14:40

Sharing

Report Analysis Logs

General

Target

ace96cf7ef24eeac993b4da172a5a8f0.exe
Size

359KB
MD5

ace96cf7ef24eeac993b4da172a5a8f0
SHA1

fa89615f55a87ef1d9ee9330ec5b0c040f54e8c1
SHA256

d4ee80500d9c280e85b290b467592a5910e9d4ee127cfda17ad40467b2c88942
SHA512

e1d5279223d7e82003bad73e94b1607b043c0b987987e99dc39ab9790558c4c840cd6949a37f87134fbd13b64c4a2492fb572eebde870db709d2a77c419c7ea1

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dw20.exe

pid process

1136 dw20.exe
1136 dw20.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dw20.exe

description pid process

Token: SeRestorePrivilege 1136 dw20.exe
Token: SeBackupPrivilege 1136 dw20.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ace96cf7ef24eeac993b4da172a5a8f0.exe

description	pid	process	target process
PID 1664 wrote to memory of 1136	1664	ace96cf7ef24eeac993b4da172a5a8f0.exe	dw20.exe
PID 1664 wrote to memory of 1136	1664	ace96cf7ef24eeac993b4da172a5a8f0.exe	dw20.exe
PID 1664 wrote to memory of 1136	1664	ace96cf7ef24eeac993b4da172a5a8f0.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\ace96cf7ef24eeac993b4da172a5a8f0.exe
"C:\Users\Admin\AppData\Local\Temp\ace96cf7ef24eeac993b4da172a5a8f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 928
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1136-116-0x0000000000000000-mapping.dmp

Download
memory/1664-115-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download