26ab9161cb4a010e18a98d3d4c43836dbb9a896c6a190991df32aa954bc33c9c | Triage

Analysis

max time kernel
119s
max time network
119s
platform
windows10_x64
resource
win10-en-20211208
submitted
25-01-2022 07:53

Sharing

Report Analysis Logs

General

Target

BANK SLIP.exe
Size

574KB
MD5

e31713764cfbbbe5c54f25a5cdeff52c
SHA1

5af188609cc8e2eac3795480ec9d1edd21489450
SHA256

a4cb158cc6b760f0e208da10143b34039f21e496d85d87303e7bf66045edbdd9
SHA512

268cb7bc06d4ef647af1dfb7db6bfb8c2ca50ef75f63455f3f0ca8a55dc7d1c8c1b7d175d54ecbbc5f2baab22519b98688f64824924ca3c14c815735ce9338fa

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

BANK SLIP.exe

pid process

2264 BANK SLIP.exe
2264 BANK SLIP.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

BANK SLIP.exe

description pid process

Token: SeDebugPrivilege 2264 BANK SLIP.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

BANK SLIP.exe

description	pid	process	target process
PID 2264 wrote to memory of 3044	2264	BANK SLIP.exe	aspnet_compiler.exe
PID 2264 wrote to memory of 3044	2264	BANK SLIP.exe	aspnet_compiler.exe
PID 2264 wrote to memory of 3044	2264	BANK SLIP.exe	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\BANK SLIP.exe
"C:\Users\Admin\AppData\Local\Temp\BANK SLIP.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:3044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2264-115-0x0000000000A20000-0x0000000000AB2000-memory.dmp

Filesize
584KB

Download
memory/2264-116-0x0000000001D30000-0x0000000001D32000-memory.dmp

Filesize
8KB

Download
memory/2264-117-0x00000000012F0000-0x0000000001306000-memory.dmp

Filesize
88KB

Download