4663715548c70eec7e9cbf272171493d47a75d2652e38cca870412ea9e749fe9

Target

Cuberates@TaskILL.bin.exe
Size

31KB
MD5

c261c6e3332d0d515c910bbf3b93aab3
SHA1

ff730b6b2726240df4b2f0db96c424c464c65c17
SHA256

4663715548c70eec7e9cbf272171493d47a75d2652e38cca870412ea9e749fe9
SHA512

a93bd7b1d809493917e0999d4030cb53ab7789c65f6b87e1bbac27bd8b3ad2aeb92dec0a69369c04541f5572a78f04d8dfba900624cf5bd82d7558f24d0a8e26

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Cuberates@TaskILL.bin.exe

pid	process
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe
1336	Cuberates@TaskILL.bin.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Cuberates@TaskILL.bin.exeAUDIODG.EXEtaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1336	Cuberates@TaskILL.bin.exe
Token: 33	1636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1636	AUDIODG.EXE
Token: 33	1636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1636	AUDIODG.EXE
Token: SeDebugPrivilege	1504	taskmgr.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

taskmgr.exe

pid	process
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

taskmgr.exe

pid	process
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Cuberates@TaskILL.bin.exe

description	pid	process	target process
PID 1336 wrote to memory of 1596	1336	Cuberates@TaskILL.bin.exe	mountvol.exe
PID 1336 wrote to memory of 1596	1336	Cuberates@TaskILL.bin.exe	mountvol.exe
PID 1336 wrote to memory of 1596	1336	Cuberates@TaskILL.bin.exe	mountvol.exe

C:\Users\Admin\AppData\Local\Temp\Cuberates@TaskILL.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Cuberates@TaskILL.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\mountvol.exe
mountvol c:\ /d
2⤵
PID:1596

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1824

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1504

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-55-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/1336-57-0x000000001AFB0000-0x000000001AFB2000-memory.dmp

Filesize
8KB

Download
memory/1596-60-0x0000000000000000-mapping.dmp

Download
memory/1824-58-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads