aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938

General

Target

aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
Size

994KB
MD5

0cefce0dbbbedc5eb1febe4d85b23c71
SHA1

6aef7d5a462268c438c8417ee0da3f130b8aa84a
SHA256

aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938
SHA512

1311cf0b918419c192b3914a01e467430f445aaf6a003338e2176b1527c74263f658d8d39bd6d9c78b70324615101026767034798945d42d25215ee4d45654bf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

cfhiyme.execfhiyme.exe

pid process

1980 cfhiyme.exe
2448 cfhiyme.exe
Drops file in System32 directory 1 IoCs

Processes:

cfhiyme.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\cfhiyme.exe.log cfhiyme.exe

pid	process
1980	cfhiyme.exe
2448	cfhiyme.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\cfhiyme.exe.log	cfhiyme.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.execfhiyme.exe

description	pid	process	target process
PID 2796 set thread context of 588	2796	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 1980 set thread context of 2448	1980	cfhiyme.exe	cfhiyme.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.execfhiyme.exe

pid	process
588	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
588	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
2448	cfhiyme.exe
2448	cfhiyme.exe
2448	cfhiyme.exe
2448	cfhiyme.exe
2448	cfhiyme.exe
2448	cfhiyme.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cfhiyme.exe

description pid process

Token: SeDebugPrivilege 2448 cfhiyme.exe

description	pid	process
Token: SeDebugPrivilege	2448	cfhiyme.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.execfhiyme.execfhiyme.exe

description	pid	process	target process
PID 2796 wrote to memory of 3356	2796	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 2796 wrote to memory of 3356	2796	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 2796 wrote to memory of 3356	2796	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 2796 wrote to memory of 588	2796	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 2796 wrote to memory of 588	2796	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 2796 wrote to memory of 588	2796	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 2796 wrote to memory of 588	2796	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 2796 wrote to memory of 588	2796	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 2796 wrote to memory of 588	2796	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 2796 wrote to memory of 588	2796	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe	aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
PID 1980 wrote to memory of 2448	1980	cfhiyme.exe	cfhiyme.exe
PID 1980 wrote to memory of 2448	1980	cfhiyme.exe	cfhiyme.exe
PID 1980 wrote to memory of 2448	1980	cfhiyme.exe	cfhiyme.exe
PID 1980 wrote to memory of 2448	1980	cfhiyme.exe	cfhiyme.exe
PID 1980 wrote to memory of 2448	1980	cfhiyme.exe	cfhiyme.exe
PID 1980 wrote to memory of 2448	1980	cfhiyme.exe	cfhiyme.exe
PID 1980 wrote to memory of 2448	1980	cfhiyme.exe	cfhiyme.exe
PID 2448 wrote to memory of 724	2448	cfhiyme.exe	svchost.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
"C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
"C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe"
2⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe
"C:\Users\Admin\AppData\Local\Temp\aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:588

C:\Users\Admin\AppData\Local\Temp\cfhiyme.exe
C:\Users\Admin\AppData\Local\Temp\cfhiyme.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\cfhiyme.exe
C:\Users\Admin\AppData\Local\Temp\cfhiyme.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\dxxdqlg
MD5
fec5d133b1513f9598c7c028cfb8e018

SHA1
4a382316aa33ac4827f54fac3c9656ea89468126

SHA256
744517320e33958916f7858b26fd1cb086868ad608c858f38ee1d3db1dbb2dd6

SHA512
893600595fcb5eb54bb84df953cf212fab082d4ba44c969ff4a620771446d4be00013285251458ce8d755fc358a3849441a6aeb886a44094ab565bc1c85d354c

Download Submit
C:\ProgramData\Adobe\dxxdqlg
MD5
fec5d133b1513f9598c7c028cfb8e018

SHA1
4a382316aa33ac4827f54fac3c9656ea89468126

SHA256
744517320e33958916f7858b26fd1cb086868ad608c858f38ee1d3db1dbb2dd6

SHA512
893600595fcb5eb54bb84df953cf212fab082d4ba44c969ff4a620771446d4be00013285251458ce8d755fc358a3849441a6aeb886a44094ab565bc1c85d354c

Download Submit
C:\ProgramData\Adobe\dxxdqlg
MD5
262e257135034e2d4e7b20a6d70326fe

SHA1
cdf2d256544f515030ef3d0e5f9cf74c1090909b

SHA256
398843ecd4bb2dd63d01def8d50feea0df7621293bf1bc19df6ef32302cc00a3

SHA512
cd0d55f260a607927afdfc55644796b1181a41517011dad9f640f15fc5be52b95bbee0c776e05574795b8cf9436b55cf0218219f831f5e3102307a4cc4bc2928

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfhiyme.exe
MD5
0cefce0dbbbedc5eb1febe4d85b23c71

SHA1
6aef7d5a462268c438c8417ee0da3f130b8aa84a

SHA256
aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938

SHA512
1311cf0b918419c192b3914a01e467430f445aaf6a003338e2176b1527c74263f658d8d39bd6d9c78b70324615101026767034798945d42d25215ee4d45654bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfhiyme.exe
MD5
0cefce0dbbbedc5eb1febe4d85b23c71

SHA1
6aef7d5a462268c438c8417ee0da3f130b8aa84a

SHA256
aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938

SHA512
1311cf0b918419c192b3914a01e467430f445aaf6a003338e2176b1527c74263f658d8d39bd6d9c78b70324615101026767034798945d42d25215ee4d45654bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfhiyme.exe
MD5
0cefce0dbbbedc5eb1febe4d85b23c71

SHA1
6aef7d5a462268c438c8417ee0da3f130b8aa84a

SHA256
aaf1c2e67e9049fcbfd9f97302d78837769e1ad20fb2c4f35c69339e95845938

SHA512
1311cf0b918419c192b3914a01e467430f445aaf6a003338e2176b1527c74263f658d8d39bd6d9c78b70324615101026767034798945d42d25215ee4d45654bf

Download Submit
memory/588-116-0x0000000000EA0000-0x00000000010BA000-memory.dmp

Filesize
2.1MB

Download
memory/588-117-0x00000000010C0000-0x000000000130B000-memory.dmp

Filesize
2.3MB

Download
memory/588-120-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/724-125-0x0000000031C00000-0x0000000031C77000-memory.dmp

Filesize
476KB

Download
memory/1980-121-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/2448-124-0x00000000018A0000-0x0000000001AEB000-memory.dmp

Filesize
2.3MB

Download
memory/2796-115-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads