9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345

General

Target

9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe
Size

1.5MB
MD5

2884f56c8fe181ec634e5f5b059e8943
SHA1

a0c30ab484f36e77a27cafc6265f7ce45bf27612
SHA256

9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345
SHA512

297475cc382155d85be34e97eec4623580c3fbbef83c3d926d0a436622bb8ec7b6c938225c61e5772df672af8c4ed4a7e5d2d9aa9d3e0209d01b898dab6bf648

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 2 IoCs

Processes:

9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exeMSBuild.exe

description	pid	process	target process
PID 1856 set thread context of 3856	1856	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 3856 set thread context of 1780	3856	MSBuild.exe	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1856	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe
Token: SeDebugPrivilege	3856	MSBuild.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exeMSBuild.exe

description	pid	process	target process
PID 1856 wrote to memory of 3856	1856	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1856 wrote to memory of 3856	1856	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1856 wrote to memory of 3856	1856	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1856 wrote to memory of 3856	1856	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1856 wrote to memory of 3856	1856	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1856 wrote to memory of 3856	1856	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1856 wrote to memory of 3856	1856	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1856 wrote to memory of 3856	1856	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 3856 wrote to memory of 1780	3856	MSBuild.exe	MSBuild.exe
PID 3856 wrote to memory of 1780	3856	MSBuild.exe	MSBuild.exe
PID 3856 wrote to memory of 1780	3856	MSBuild.exe	MSBuild.exe
PID 3856 wrote to memory of 1780	3856	MSBuild.exe	MSBuild.exe
PID 3856 wrote to memory of 1780	3856	MSBuild.exe	MSBuild.exe
PID 3856 wrote to memory of 1780	3856	MSBuild.exe	MSBuild.exe
PID 3856 wrote to memory of 1780	3856	MSBuild.exe	MSBuild.exe
PID 3856 wrote to memory of 1780	3856	MSBuild.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe
"C:\Users\Admin\AppData\Local\Temp\9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YawrHJfWfh.txt

Filesize
102B

MD5
02db63e5a1f0c977ff066fbf3c2c4bfe

SHA1
3e1e3dc2ae86ea2408a15e0ed38e797e7423c246

SHA256
54b92a399461b2fd4034f66a7eecfe8dc0f2a4e47b9702ed7ac7179aa571d9fc

SHA512
bbb171d896ae9fbaf6b91c8dfbf64cc73d799d795e378d10d912b31394e9868badf3b81748ed979da919b1fc1bb633409438df9d6666437544008668ef7067fe

Download Submit
memory/1780-139-0x0000000000000000-mapping.dmp

Download
memory/1780-143-0x0000000005540000-0x000000000569A000-memory.dmp

Filesize
1.4MB

Download
memory/1780-142-0x0000000002DA0000-0x0000000002DBA000-memory.dmp

Filesize
104KB

Download
memory/1780-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-133-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/1856-136-0x0000000008A30000-0x0000000008A96000-memory.dmp

Filesize
408KB

Download
memory/1856-135-0x0000000004FA0000-0x0000000004FF6000-memory.dmp

Filesize
344KB

Download
memory/1856-134-0x0000000004D50000-0x0000000004D5A000-memory.dmp

Filesize
40KB

Download
memory/1856-130-0x0000000000180000-0x0000000000308000-memory.dmp

Filesize
1.5MB

Download
memory/1856-132-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/1856-131-0x0000000004CB0000-0x0000000004D4C000-memory.dmp

Filesize
624KB

Download
memory/3856-137-0x0000000000000000-mapping.dmp

Download
memory/3856-144-0x0000000005260000-0x0000000005804000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads