b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5

General

Target

b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe
Size

112KB
MD5

b9b5f5039c19f15ca610baa095642f8a
SHA1

6464f52a47c362195a219bd5cf529338bf29a5c9
SHA256

b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5
SHA512

5c62f2e948609d2481f2fd77bcee5f9a5fb93b8997ea7753c67554c3cd5c20d005b4170d498522aedd83b6c281edc8f8a60cffa75333cedc97fb06fe7451b697

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

pid	Process
4072	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3924	powershell.exe
3924	powershell.exe
3924	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3924	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 3156	2464	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	69
PID 2464 wrote to memory of 3156	2464	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	69
PID 2464 wrote to memory of 3156	2464	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	69
PID 2464 wrote to memory of 3460	2464	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	70
PID 2464 wrote to memory of 3460	2464	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	70
PID 2464 wrote to memory of 3460	2464	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	70
PID 3156 wrote to memory of 4072	3156	cmd.exe	73
PID 3156 wrote to memory of 4072	3156	cmd.exe	73
PID 3156 wrote to memory of 4072	3156	cmd.exe	73
PID 3460 wrote to memory of 3924	3460	cmd.exe	74
PID 3460 wrote to memory of 3924	3460	cmd.exe	74
PID 3460 wrote to memory of 3924	3460	cmd.exe	74

C:\Users\Admin\AppData\Local\Temp\b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe
"C:\Users\Admin\AppData\Local\Temp\b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C PowerShell "Start-Sleep 5; Remove-Item C:\Users\Admin\AppData\Local\Temp\b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Start-Sleep 5; Remove-Item C:\Users\Admin\AppData\Local\Temp\b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3924-117-0x0000000006F40000-0x0000000006F76000-memory.dmp

Filesize
216KB

Download
memory/3924-119-0x0000000007052000-0x0000000007053000-memory.dmp

Filesize
4KB

Download
memory/3924-118-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/3924-120-0x0000000007690000-0x0000000007CB8000-memory.dmp

Filesize
6.2MB

Download
memory/3924-121-0x0000000007530000-0x0000000007552000-memory.dmp

Filesize
136KB

Download
memory/3924-122-0x0000000007E10000-0x0000000007E76000-memory.dmp

Filesize
408KB

Download
memory/3924-123-0x0000000007F80000-0x0000000007FE6000-memory.dmp

Filesize
408KB

Download
memory/3924-124-0x0000000008080000-0x00000000083D0000-memory.dmp

Filesize
3.3MB

Download
memory/3924-125-0x0000000007240000-0x000000000725C000-memory.dmp

Filesize
112KB

Download
memory/3924-126-0x0000000008890000-0x00000000088DB000-memory.dmp

Filesize
300KB

Download
memory/3924-127-0x0000000008700000-0x0000000008776000-memory.dmp

Filesize
472KB

Download
memory/3924-134-0x0000000009B90000-0x000000000A208000-memory.dmp

Filesize
6.5MB

Download
memory/3924-135-0x0000000009450000-0x000000000946A000-memory.dmp

Filesize
104KB

Download
memory/3924-140-0x0000000009910000-0x00000000099A4000-memory.dmp

Filesize
592KB

Download
memory/3924-141-0x0000000009540000-0x0000000009562000-memory.dmp

Filesize
136KB

Download
memory/3924-142-0x000000000A710000-0x000000000AC0E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing