General
Target

13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe

Filesize

153KB

Completed

20-02-2022 11:22

Task

behavioral2

Score
1/10
MD5

71d5ee75766497e2c37b20503cf02f53

SHA1

d78c955173c447cb79fb559de122563d90d5358d

SHA256

13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6

SHA256

c365d9dd353a326814dce42cbbaf7c159b605725365dd99efcd3870ff2af31d908bc534a43e2c3c8849808736183f9bb2fbd83785bc3e42123e5847004a5f6eb

Malware Config
Signatures 3

Filter: none

  • Suspicious behavior: EnumeratesProcesses
    13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe

    Reported IOCs

    pidprocess
    370013a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe
    370013a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe
  • Suspicious use of AdjustPrivilegeToken
    13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege370013a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe
  • Suspicious use of WriteProcessMemory
    13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3700 wrote to memory of 2280370013a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exesihost.exe
    PID 3700 wrote to memory of 2312370013a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exesvchost.exe
    PID 3700 wrote to memory of 2432370013a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exetaskhostw.exe
    PID 3700 wrote to memory of 744370013a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exesvchost.exe
    PID 3700 wrote to memory of 3252370013a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exeDllHost.exe
Processes 6
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    PID:2312
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    PID:3252
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
    PID:744
  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    PID:2432
  • C:\Windows\system32\sihost.exe
    sihost.exe
    PID:2280
  • C:\Users\Admin\AppData\Local\Temp\13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe
    "C:\Users\Admin\AppData\Local\Temp\13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3700
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/2280-130-0x00007FF7BB6E0000-0x00007FF7BBA6A000-memory.dmp

                          • memory/2312-131-0x00007FF7BB6E0000-0x00007FF7BBA6A000-memory.dmp