d3476e956324bcc9a8bbac1b1f467e44cd982f401c31afa69e843c8f5be0efe7

Analysis

Target

Sendan MultiTool/Sendan MultiTool.exe
Size

100.4MB
MD5

9de68acfe666d7dabb9aaafab09b44b0
SHA1

f2f7dbb4bb883f306949d3b4315d334b3cd7e3a3
SHA256

46cba3cb5d3a6dd6a3d7b563abd3d15aa05b6ae0e679a24f6416ef61b32fe40d
SHA512

01ac63a64cfc642ebeb6cae86d9de9ce68821e5df034b5c78cec651ea01ef9b3c52a5e2dd8ad8911a5e012d5a1bd262ed7558bf20a09bc0621b3f8daa7911331

Score

1^/10

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2312 tasklist.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tasklist.exe

description pid process

Token: SeDebugPrivilege 2312 tasklist.exe

pid	process
2312	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	2312	tasklist.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Sendan MultiTool.execmd.exe

description	pid	process	target process
PID 2220 wrote to memory of 1448	2220	Sendan MultiTool.exe	cmd.exe
PID 2220 wrote to memory of 1448	2220	Sendan MultiTool.exe	cmd.exe
PID 1448 wrote to memory of 2312	1448	cmd.exe	tasklist.exe
PID 1448 wrote to memory of 2312	1448	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\Sendan MultiTool\Sendan MultiTool.exe
"C:\Users\Admin\AppData\Local\Temp\Sendan MultiTool\Sendan MultiTool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1448-116-0x0000000000000000-mapping.dmp

Download
memory/2220-115-0x0000026AE27E0000-0x0000026AE27E1000-memory.dmp

Filesize
4KB

Download
memory/2312-117-0x0000000000000000-mapping.dmp

Download