5db167e8cc20f6b5d34a37383cc5c9299a40624073be1f8ebab5420975a39313

General

Target

M097508E2-20F2-4C2C-879A.exe
Size

709KB
MD5

13f08d08bbaa99bfd4cf481cf682bd7d
SHA1

210fce69f4278eb3f9e2574eb1d3fd7febe8212c
SHA256

d32af58205d0773daf139d13738f918e03f4d30439086b6eda0dfceef3369b58
SHA512

4483ba364a7525b2c8a6e2154a9d166873aba8ea1fa717c06aa90db7c1d540e317425cc33c254fbf41cd26cad2eb196c093b86d5c3e0c9c6fed358795d357330

Score

1^/10

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 18 IoCs

Processes:

M097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exe

pid	process
2028	M097508E2-20F2-4C2C-879A.exe
1392	M097508E2-20F2-4C2C-879A.exe
956	M097508E2-20F2-4C2C-879A.exe
844	M097508E2-20F2-4C2C-879A.exe
1576	M097508E2-20F2-4C2C-879A.exe
1576	M097508E2-20F2-4C2C-879A.exe
944	M097508E2-20F2-4C2C-879A.exe
520	M097508E2-20F2-4C2C-879A.exe
324	M097508E2-20F2-4C2C-879A.exe
324	M097508E2-20F2-4C2C-879A.exe
608	M097508E2-20F2-4C2C-879A.exe
608	M097508E2-20F2-4C2C-879A.exe
1540	M097508E2-20F2-4C2C-879A.exe
876	M097508E2-20F2-4C2C-879A.exe
876	M097508E2-20F2-4C2C-879A.exe
2016	M097508E2-20F2-4C2C-879A.exe
1472	M097508E2-20F2-4C2C-879A.exe
468	M097508E2-20F2-4C2C-879A.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

M097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exeM097508E2-20F2-4C2C-879A.exe

description	pid	process	target process
PID 2028 wrote to memory of 1388	2028	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 2028 wrote to memory of 1388	2028	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 2028 wrote to memory of 1388	2028	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 2028 wrote to memory of 1388	2028	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 2028 wrote to memory of 1388	2028	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 2028 wrote to memory of 1392	2028	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 2028 wrote to memory of 1392	2028	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 2028 wrote to memory of 1392	2028	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 2028 wrote to memory of 1392	2028	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 1392 wrote to memory of 1808	1392	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 1392 wrote to memory of 1808	1392	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 1392 wrote to memory of 1808	1392	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 1392 wrote to memory of 1808	1392	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 1392 wrote to memory of 1808	1392	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 1392 wrote to memory of 956	1392	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 1392 wrote to memory of 956	1392	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 1392 wrote to memory of 956	1392	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 1392 wrote to memory of 956	1392	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 956 wrote to memory of 1332	956	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 956 wrote to memory of 1332	956	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 956 wrote to memory of 1332	956	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 956 wrote to memory of 1332	956	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 956 wrote to memory of 1332	956	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 956 wrote to memory of 844	956	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 956 wrote to memory of 844	956	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 956 wrote to memory of 844	956	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 956 wrote to memory of 844	956	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 844 wrote to memory of 2044	844	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 844 wrote to memory of 2044	844	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 844 wrote to memory of 2044	844	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 844 wrote to memory of 2044	844	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 844 wrote to memory of 2044	844	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 844 wrote to memory of 1576	844	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 844 wrote to memory of 1576	844	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 844 wrote to memory of 1576	844	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 844 wrote to memory of 1576	844	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 1576 wrote to memory of 1836	1576	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 1576 wrote to memory of 1836	1576	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 1576 wrote to memory of 1836	1576	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 1576 wrote to memory of 1836	1576	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 1576 wrote to memory of 1836	1576	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 1576 wrote to memory of 944	1576	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 1576 wrote to memory of 944	1576	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 1576 wrote to memory of 944	1576	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 1576 wrote to memory of 944	1576	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 944 wrote to memory of 528	944	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 944 wrote to memory of 528	944	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 944 wrote to memory of 528	944	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 944 wrote to memory of 528	944	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 944 wrote to memory of 528	944	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 944 wrote to memory of 520	944	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 944 wrote to memory of 520	944	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 944 wrote to memory of 520	944	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 944 wrote to memory of 520	944	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 520 wrote to memory of 1772	520	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 520 wrote to memory of 1772	520	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 520 wrote to memory of 1772	520	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 520 wrote to memory of 1772	520	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 520 wrote to memory of 1772	520	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe
PID 520 wrote to memory of 324	520	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 520 wrote to memory of 324	520	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 520 wrote to memory of 324	520	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 520 wrote to memory of 324	520	M097508E2-20F2-4C2C-879A.exe	M097508E2-20F2-4C2C-879A.exe
PID 324 wrote to memory of 1160	324	M097508E2-20F2-4C2C-879A.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
5⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
6⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
7⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
8⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
9⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
9⤵
- Suspicious behavior: MapViewOfSection
PID:608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
10⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
10⤵
- Suspicious behavior: MapViewOfSection
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
11⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
11⤵
- Suspicious behavior: MapViewOfSection
PID:876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
12⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
12⤵
- Suspicious behavior: MapViewOfSection
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
13⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
13⤵
- Suspicious behavior: MapViewOfSection
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
14⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
14⤵
- Suspicious behavior: MapViewOfSection
PID:468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
15⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe
"C:\Users\Admin\AppData\Local\Temp\M097508E2-20F2-4C2C-879A.exe"
15⤵
PID:1768

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/324-76-0x000000000031D000-0x0000000000320000-memory.dmp

Filesize
12KB

Download
memory/324-74-0x0000000000000000-mapping.dmp

Download
memory/468-94-0x000000000023D000-0x0000000000240000-memory.dmp

Filesize
12KB

Download
memory/468-92-0x0000000000000000-mapping.dmp

Download
memory/520-71-0x0000000000000000-mapping.dmp

Download
memory/520-73-0x000000000048D000-0x0000000000490000-memory.dmp

Filesize
12KB

Download
memory/608-79-0x000000000044D000-0x0000000000450000-memory.dmp

Filesize
12KB

Download
memory/608-77-0x0000000000000000-mapping.dmp

Download
memory/844-64-0x00000000001DD000-0x00000000001E0000-memory.dmp

Filesize
12KB

Download
memory/844-62-0x0000000000000000-mapping.dmp

Download
memory/876-83-0x0000000000000000-mapping.dmp

Download
memory/876-85-0x00000000002BD000-0x00000000002C0000-memory.dmp

Filesize
12KB

Download
memory/944-68-0x0000000000000000-mapping.dmp

Download
memory/944-70-0x00000000003FD000-0x0000000000400000-memory.dmp

Filesize
12KB

Download
memory/956-61-0x00000000003ED000-0x00000000003F0000-memory.dmp

Filesize
12KB

Download
memory/956-59-0x0000000000000000-mapping.dmp

Download
memory/1392-56-0x0000000000000000-mapping.dmp

Download
memory/1392-58-0x00000000004AD000-0x00000000004B0000-memory.dmp

Filesize
12KB

Download
memory/1472-89-0x0000000000000000-mapping.dmp

Download
memory/1472-91-0x000000000043D000-0x0000000000440000-memory.dmp

Filesize
12KB

Download
memory/1540-82-0x000000000020D000-0x0000000000210000-memory.dmp

Filesize
12KB

Download
memory/1540-80-0x0000000000000000-mapping.dmp

Download
memory/1576-67-0x000000000047D000-0x0000000000480000-memory.dmp

Filesize
12KB

Download
memory/1576-65-0x0000000000000000-mapping.dmp

Download
memory/1768-95-0x0000000000000000-mapping.dmp

Download
memory/1768-97-0x00000000002FD000-0x0000000000300000-memory.dmp

Filesize
12KB

Download
memory/2016-86-0x0000000000000000-mapping.dmp

Download
memory/2016-88-0x000000000034D000-0x0000000000350000-memory.dmp

Filesize
12KB

Download
memory/2028-54-0x0000000075381000-0x0000000075383000-memory.dmp

Filesize
8KB

Download
memory/2028-55-0x000000000038D000-0x0000000000390000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing