ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8

General

Target

ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
Size

2.4MB
MD5

a5fdd99bf98e3376cb52a60a6c94bfa3
SHA1

ea610ffed593c1756a84005f113de6eda1d27f85
SHA256

ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8
SHA512

d1367298de62bc4c1be0a835fba85e93c7eda6505fddcbf771b81755d19f46930dad55a5b572c647b21d9f5de6053f91eb47f2a33ca557f710e1e96116aa6f97

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe

pid	process
3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe

description pid process

Token: SeDebugPrivilege 3708 ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe

description	pid	process
Token: SeDebugPrivilege	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe

C:\Users\Admin\AppData\Local\Temp\ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
"C:\Users\Admin\AppData\Local\Temp\ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Local\Temp\ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
"C:\Users\Admin\AppData\Local\Temp\ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe"
2⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
"C:\Users\Admin\AppData\Local\Temp\ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe"
2⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
"C:\Users\Admin\AppData\Local\Temp\ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe"
2⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
"C:\Users\Admin\AppData\Local\Temp\ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe"
2⤵
PID:356

C:\Users\Admin\AppData\Local\Temp\ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
"C:\Users\Admin\AppData\Local\Temp\ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe"
2⤵
PID:1120

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3708-118-0x00000000003C0000-0x0000000000628000-memory.dmp

Filesize
2.4MB

Download
memory/3708-119-0x0000000004E00000-0x0000000004E9C000-memory.dmp

Filesize
624KB

Download
memory/3708-120-0x00000000054E0000-0x00000000059DE000-memory.dmp

Filesize
5.0MB

Download
memory/3708-121-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/3708-122-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

Filesize
40KB

Download
memory/3708-123-0x0000000005140000-0x0000000005196000-memory.dmp

Filesize
344KB

Download
memory/3708-124-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/3708-125-0x00000000051D0000-0x00000000051F2000-memory.dmp

Filesize
136KB

Download
memory/3708-126-0x0000000007460000-0x0000000007634000-memory.dmp

Filesize
1.8MB

Download
memory/3708-127-0x000000000AB30000-0x000000000ACB4000-memory.dmp

Filesize
1.5MB

Download

description	pid	process	target process
PID 3708 wrote to memory of 2616	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 2616	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 2616	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 1116	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 1116	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 1116	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 60	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 60	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 60	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 356	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 356	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 356	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 1120	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 1120	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe
PID 3708 wrote to memory of 1120	3708	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe	ed8ea7147615e1346db04eb63fe14ff1ea8dcb083006961e0400cbb4a9d999f8.exe

Analysis

Sharing