9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910

General

Target

9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe
Size

378KB
MD5

d0d25ddde9388ab0feb47b9ec3cb7733
SHA1

de6f89f2c17b229a0068a75bf476720a0724fe18
SHA256

9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910
SHA512

25d76db3137a9ee2b0fd9a4e562a6cb89fba025a787e443f0361580b0d7fdbe43f5ebe99c204103939f01a4fedc2e1182aea90b69d3833d001141280805c386f

Score

5^/10

Suspicious use of SetThreadContext 1 IoCs

Processes:

9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe

description	pid	Process	procid_target
PID 824 set thread context of 2228	824	9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe	98

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	824	9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe
Token: SeShutdownPrivilege	5096	svchost.exe
Token: SeCreatePagefilePrivilege	5096	svchost.exe
Token: SeShutdownPrivilege	5096	svchost.exe
Token: SeCreatePagefilePrivilege	5096	svchost.exe
Token: SeShutdownPrivilege	5096	svchost.exe
Token: SeCreatePagefilePrivilege	5096	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe

description	pid	Process	procid_target
PID 824 wrote to memory of 2228	824	9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe	98
PID 824 wrote to memory of 2228	824	9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe	98
PID 824 wrote to memory of 2228	824	9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe	98
PID 824 wrote to memory of 2228	824	9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe	98
PID 824 wrote to memory of 2228	824	9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe	98
PID 824 wrote to memory of 2228	824	9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe	98
PID 824 wrote to memory of 2228	824	9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe	98

C:\Users\Admin\AppData\Local\Temp\9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe
"C:\Users\Admin\AppData\Local\Temp\9e2a002527bd520f50a4844c8381e89a09e3489a239766120d63db503eb97910.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2228

memory/824-130-0x00000000004F0000-0x0000000000554000-memory.dmp

Filesize
400KB

Download
memory/824-131-0x0000000004DA0000-0x0000000004E06000-memory.dmp

Filesize
408KB

Download
memory/824-132-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/824-133-0x0000000005120000-0x00000000052E2000-memory.dmp

Filesize
1.8MB

Download
memory/824-134-0x0000000004D30000-0x0000000004D52000-memory.dmp

Filesize
136KB

Download
memory/824-135-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/824-136-0x00000000058A0000-0x0000000005E44000-memory.dmp

Filesize
5.6MB

Download
memory/824-137-0x00000000052F0000-0x0000000005894000-memory.dmp

Filesize
5.6MB

Download
memory/824-151-0x0000000005590000-0x00000000055D4000-memory.dmp

Filesize
272KB

Download
memory/2228-152-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5096-150-0x0000016035B90000-0x0000016035B94000-memory.dmp

Filesize
16KB

Download