e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470

General

Target

e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe
Size

5.5MB
MD5

dbe95482a73c63d5b3d1d16aa3ad8f21
SHA1

4bba60ff11f8b150b004960c658ad74a707ebcea
SHA256

e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470
SHA512

2f6795a956873a35cc14949f707b51438579fd08cc02e05b17e69628b20d9207863bbc443b670464cbe052a620ecc7bb350e53d9cde5cabbeb266eea049cc3ed

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\netpahna.dll	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4060	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4080	powershell.exe
4080	powershell.exe
4080	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3060	2272	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	68
PID 2272 wrote to memory of 3060	2272	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	68
PID 2272 wrote to memory of 3060	2272	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	68
PID 2272 wrote to memory of 3040	2272	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	69
PID 2272 wrote to memory of 3040	2272	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	69
PID 2272 wrote to memory of 3040	2272	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	69
PID 3060 wrote to memory of 4060	3060	cmd.exe	72
PID 3060 wrote to memory of 4060	3060	cmd.exe	72
PID 3060 wrote to memory of 4060	3060	cmd.exe	72
PID 3040 wrote to memory of 4080	3040	cmd.exe	73
PID 3040 wrote to memory of 4080	3040	cmd.exe	73
PID 3040 wrote to memory of 4080	3040	cmd.exe	73

C:\Users\Admin\AppData\Local\Temp\e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe
"C:\Users\Admin\AppData\Local\Temp\e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:4060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C PowerShell "Start-Sleep 5; Remove-Item C:\Users\Admin\AppData\Local\Temp\e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Start-Sleep 5; Remove-Item C:\Users\Admin\AppData\Local\Temp\e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4080-120-0x0000000004EE0000-0x0000000004F16000-memory.dmp

Filesize
216KB

Download
memory/4080-121-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/4080-122-0x00000000078E0000-0x0000000007F08000-memory.dmp

Filesize
6.2MB

Download
memory/4080-123-0x0000000007840000-0x0000000007862000-memory.dmp

Filesize
136KB

Download
memory/4080-124-0x0000000007F10000-0x0000000007F76000-memory.dmp

Filesize
408KB

Download
memory/4080-126-0x00000000081D0000-0x0000000008236000-memory.dmp

Filesize
408KB

Download
memory/4080-125-0x0000000004F42000-0x0000000004F43000-memory.dmp

Filesize
4KB

Download
memory/4080-127-0x0000000008380000-0x00000000086D0000-memory.dmp

Filesize
3.3MB

Download
memory/4080-128-0x00000000086F0000-0x000000000870C000-memory.dmp

Filesize
112KB

Download
memory/4080-129-0x0000000008BD0000-0x0000000008C1B000-memory.dmp

Filesize
300KB

Download
memory/4080-130-0x0000000008A20000-0x0000000008A96000-memory.dmp

Filesize
472KB

Download
memory/4080-137-0x000000000A0E0000-0x000000000A758000-memory.dmp

Filesize
6.5MB

Download
memory/4080-138-0x0000000009830000-0x000000000984A000-memory.dmp

Filesize
104KB

Download
memory/4080-143-0x0000000009BF0000-0x0000000009C84000-memory.dmp

Filesize
592KB

Download
memory/4080-144-0x0000000008C70000-0x0000000008C92000-memory.dmp

Filesize
136KB

Download
memory/4080-145-0x000000000AC60000-0x000000000B15E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing