992c8c63aa0978780c459f741825cfc6e118b08a26f57cabccb08bd864e2ee5e

General

Target

50208488 AEJEA 81890010169430.exe
Size

581KB
MD5

1b485e01e597352e81f18d2a828edee3
SHA1

09329b97c027cffbc9d34e5d49a3794b7209e246
SHA256

039b571653cbd974ebb9e8c37c048d0f9c4e5302db86a7400ed7a81708cb6c8c
SHA512

a124dbed4e5cc1809f9e473e2c0c84ddce944955ecb50adc8bf57f5134e0f282722a6a4ad23e62e2df333eaebe57878b0d40bae40867f24c9ec5efdb9b9ba53e

Score

1^/10

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 12 IoCs

Processes:

50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe

pid	process
1968	50208488 AEJEA 81890010169430.exe
1084	50208488 AEJEA 81890010169430.exe
1476	50208488 AEJEA 81890010169430.exe
1492	50208488 AEJEA 81890010169430.exe
1492	50208488 AEJEA 81890010169430.exe
1524	50208488 AEJEA 81890010169430.exe
1140	50208488 AEJEA 81890010169430.exe
1984	50208488 AEJEA 81890010169430.exe
1220	50208488 AEJEA 81890010169430.exe
1220	50208488 AEJEA 81890010169430.exe
2008	50208488 AEJEA 81890010169430.exe
1132	50208488 AEJEA 81890010169430.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe50208488 AEJEA 81890010169430.exe

description	pid	process	target process
PID 1968 wrote to memory of 1168	1968	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1968 wrote to memory of 1168	1968	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1968 wrote to memory of 1168	1968	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1968 wrote to memory of 1168	1968	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1968 wrote to memory of 1168	1968	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1968 wrote to memory of 1084	1968	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1968 wrote to memory of 1084	1968	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1968 wrote to memory of 1084	1968	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1968 wrote to memory of 1084	1968	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1084 wrote to memory of 620	1084	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1084 wrote to memory of 620	1084	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1084 wrote to memory of 620	1084	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1084 wrote to memory of 620	1084	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1084 wrote to memory of 620	1084	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1084 wrote to memory of 1476	1084	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1084 wrote to memory of 1476	1084	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1084 wrote to memory of 1476	1084	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1084 wrote to memory of 1476	1084	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1476 wrote to memory of 1780	1476	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1476 wrote to memory of 1780	1476	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1476 wrote to memory of 1780	1476	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1476 wrote to memory of 1780	1476	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1476 wrote to memory of 1780	1476	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1476 wrote to memory of 1492	1476	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1476 wrote to memory of 1492	1476	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1476 wrote to memory of 1492	1476	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1476 wrote to memory of 1492	1476	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1492 wrote to memory of 1276	1492	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1492 wrote to memory of 1276	1492	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1492 wrote to memory of 1276	1492	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1492 wrote to memory of 1276	1492	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1492 wrote to memory of 1276	1492	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1492 wrote to memory of 1524	1492	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1492 wrote to memory of 1524	1492	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1492 wrote to memory of 1524	1492	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1492 wrote to memory of 1524	1492	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1524 wrote to memory of 1804	1524	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1524 wrote to memory of 1804	1524	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1524 wrote to memory of 1804	1524	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1524 wrote to memory of 1804	1524	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1524 wrote to memory of 1804	1524	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1524 wrote to memory of 1140	1524	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1524 wrote to memory of 1140	1524	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1524 wrote to memory of 1140	1524	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1524 wrote to memory of 1140	1524	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1140 wrote to memory of 1268	1140	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1140 wrote to memory of 1268	1140	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1140 wrote to memory of 1268	1140	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1140 wrote to memory of 1268	1140	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1140 wrote to memory of 1268	1140	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1140 wrote to memory of 1984	1140	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1140 wrote to memory of 1984	1140	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1140 wrote to memory of 1984	1140	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1140 wrote to memory of 1984	1140	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1984 wrote to memory of 1556	1984	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1984 wrote to memory of 1556	1984	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1984 wrote to memory of 1556	1984	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1984 wrote to memory of 1556	1984	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1984 wrote to memory of 1556	1984	50208488 AEJEA 81890010169430.exe	MSBuild.exe
PID 1984 wrote to memory of 1220	1984	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1984 wrote to memory of 1220	1984	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1984 wrote to memory of 1220	1984	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1984 wrote to memory of 1220	1984	50208488 AEJEA 81890010169430.exe	50208488 AEJEA 81890010169430.exe
PID 1220 wrote to memory of 460	1220	50208488 AEJEA 81890010169430.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe
"C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe
"C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe
"C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe
"C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
5⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe
"C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe
"C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"
6⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
7⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe
"C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
8⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe
"C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"
8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
9⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe
"C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"
9⤵
- Suspicious behavior: MapViewOfSection
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
10⤵
PID:304

C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe
"C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"
10⤵
- Suspicious behavior: MapViewOfSection
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
11⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe
"C:\Users\Admin\AppData\Local\Temp\50208488 AEJEA 81890010169430.exe"
11⤵
PID:548

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-85-0x000000000025D000-0x0000000000260000-memory.dmp

Filesize
12KB

Download
memory/548-83-0x0000000000000000-mapping.dmp

Download
memory/1084-56-0x0000000000000000-mapping.dmp

Download
memory/1084-58-0x00000000003CD000-0x00000000003D0000-memory.dmp

Filesize
12KB

Download
memory/1132-82-0x00000000003AD000-0x00000000003B0000-memory.dmp

Filesize
12KB

Download
memory/1132-80-0x0000000000000000-mapping.dmp

Download
memory/1140-68-0x0000000000000000-mapping.dmp

Download
memory/1140-70-0x000000000041D000-0x0000000000420000-memory.dmp

Filesize
12KB

Download
memory/1220-76-0x000000000028D000-0x0000000000290000-memory.dmp

Filesize
12KB

Download
memory/1220-74-0x0000000000000000-mapping.dmp

Download
memory/1476-59-0x0000000000000000-mapping.dmp

Download
memory/1476-61-0x000000000044D000-0x0000000000450000-memory.dmp

Filesize
12KB

Download
memory/1492-62-0x0000000000000000-mapping.dmp

Download
memory/1492-64-0x000000000036D000-0x0000000000370000-memory.dmp

Filesize
12KB

Download
memory/1524-65-0x0000000000000000-mapping.dmp

Download
memory/1524-67-0x00000000003DD000-0x00000000003E0000-memory.dmp

Filesize
12KB

Download
memory/1968-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1968-55-0x000000000046D000-0x0000000000470000-memory.dmp

Filesize
12KB

Download
memory/1984-73-0x00000000003FD000-0x0000000000400000-memory.dmp

Filesize
12KB

Download
memory/1984-71-0x0000000000000000-mapping.dmp

Download
memory/2008-79-0x00000000003BD000-0x00000000003C0000-memory.dmp

Filesize
12KB

Download
memory/2008-77-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing