Analysis
-
max time kernel
136s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 11:34
Static task
static1
Behavioral task
behavioral1
Sample
0900009090000.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0900009090000.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
0900009090000.exe
-
Size
577KB
-
MD5
a543084b74043d3373fe007ecf2924af
-
SHA1
0b06349a0f26179f6e5e43181e4d248ee8bab127
-
SHA256
6989ffe534c2303d7fcc4f5f8b81515a3d30a53ecb395a935bc46391de88b023
-
SHA512
57af1f424d02c4ba8f66a011b007b559e5cca570d8c3d630415b993544d2caddd9de3fe9ecec4d626142fca884512913ef6c9665b754e6b4a586d70852293a83
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 13 IoCs
Processes:
0900009090000.exe0900009090000.exe0900009090000.exe0900009090000.exe0900009090000.exe0900009090000.exe0900009090000.exe0900009090000.exe0900009090000.exepid process 1180 0900009090000.exe 2004 0900009090000.exe 1464 0900009090000.exe 1968 0900009090000.exe 1968 0900009090000.exe 1696 0900009090000.exe 1976 0900009090000.exe 1956 0900009090000.exe 1956 0900009090000.exe 1892 0900009090000.exe 1892 0900009090000.exe 848 0900009090000.exe 848 0900009090000.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0900009090000.exe0900009090000.exe0900009090000.exe0900009090000.exe0900009090000.exe0900009090000.exe0900009090000.exe0900009090000.exedescription pid process target process PID 1180 wrote to memory of 1880 1180 0900009090000.exe MSBuild.exe PID 1180 wrote to memory of 1880 1180 0900009090000.exe MSBuild.exe PID 1180 wrote to memory of 1880 1180 0900009090000.exe MSBuild.exe PID 1180 wrote to memory of 1880 1180 0900009090000.exe MSBuild.exe PID 1180 wrote to memory of 1880 1180 0900009090000.exe MSBuild.exe PID 1180 wrote to memory of 2004 1180 0900009090000.exe 0900009090000.exe PID 1180 wrote to memory of 2004 1180 0900009090000.exe 0900009090000.exe PID 1180 wrote to memory of 2004 1180 0900009090000.exe 0900009090000.exe PID 1180 wrote to memory of 2004 1180 0900009090000.exe 0900009090000.exe PID 2004 wrote to memory of 1996 2004 0900009090000.exe MSBuild.exe PID 2004 wrote to memory of 1996 2004 0900009090000.exe MSBuild.exe PID 2004 wrote to memory of 1996 2004 0900009090000.exe MSBuild.exe PID 2004 wrote to memory of 1996 2004 0900009090000.exe MSBuild.exe PID 2004 wrote to memory of 1996 2004 0900009090000.exe MSBuild.exe PID 2004 wrote to memory of 1464 2004 0900009090000.exe 0900009090000.exe PID 2004 wrote to memory of 1464 2004 0900009090000.exe 0900009090000.exe PID 2004 wrote to memory of 1464 2004 0900009090000.exe 0900009090000.exe PID 2004 wrote to memory of 1464 2004 0900009090000.exe 0900009090000.exe PID 1464 wrote to memory of 948 1464 0900009090000.exe MSBuild.exe PID 1464 wrote to memory of 948 1464 0900009090000.exe MSBuild.exe PID 1464 wrote to memory of 948 1464 0900009090000.exe MSBuild.exe PID 1464 wrote to memory of 948 1464 0900009090000.exe MSBuild.exe PID 1464 wrote to memory of 948 1464 0900009090000.exe MSBuild.exe PID 1464 wrote to memory of 1968 1464 0900009090000.exe 0900009090000.exe PID 1464 wrote to memory of 1968 1464 0900009090000.exe 0900009090000.exe PID 1464 wrote to memory of 1968 1464 0900009090000.exe 0900009090000.exe PID 1464 wrote to memory of 1968 1464 0900009090000.exe 0900009090000.exe PID 1968 wrote to memory of 1084 1968 0900009090000.exe MSBuild.exe PID 1968 wrote to memory of 1084 1968 0900009090000.exe MSBuild.exe PID 1968 wrote to memory of 1084 1968 0900009090000.exe MSBuild.exe PID 1968 wrote to memory of 1084 1968 0900009090000.exe MSBuild.exe PID 1968 wrote to memory of 1084 1968 0900009090000.exe MSBuild.exe PID 1968 wrote to memory of 1696 1968 0900009090000.exe 0900009090000.exe PID 1968 wrote to memory of 1696 1968 0900009090000.exe 0900009090000.exe PID 1968 wrote to memory of 1696 1968 0900009090000.exe 0900009090000.exe PID 1968 wrote to memory of 1696 1968 0900009090000.exe 0900009090000.exe PID 1696 wrote to memory of 1424 1696 0900009090000.exe MSBuild.exe PID 1696 wrote to memory of 1424 1696 0900009090000.exe MSBuild.exe PID 1696 wrote to memory of 1424 1696 0900009090000.exe MSBuild.exe PID 1696 wrote to memory of 1424 1696 0900009090000.exe MSBuild.exe PID 1696 wrote to memory of 1424 1696 0900009090000.exe MSBuild.exe PID 1696 wrote to memory of 1976 1696 0900009090000.exe 0900009090000.exe PID 1696 wrote to memory of 1976 1696 0900009090000.exe 0900009090000.exe PID 1696 wrote to memory of 1976 1696 0900009090000.exe 0900009090000.exe PID 1696 wrote to memory of 1976 1696 0900009090000.exe 0900009090000.exe PID 1976 wrote to memory of 1732 1976 0900009090000.exe MSBuild.exe PID 1976 wrote to memory of 1732 1976 0900009090000.exe MSBuild.exe PID 1976 wrote to memory of 1732 1976 0900009090000.exe MSBuild.exe PID 1976 wrote to memory of 1732 1976 0900009090000.exe MSBuild.exe PID 1976 wrote to memory of 1732 1976 0900009090000.exe MSBuild.exe PID 1976 wrote to memory of 1956 1976 0900009090000.exe 0900009090000.exe PID 1976 wrote to memory of 1956 1976 0900009090000.exe 0900009090000.exe PID 1976 wrote to memory of 1956 1976 0900009090000.exe 0900009090000.exe PID 1976 wrote to memory of 1956 1976 0900009090000.exe 0900009090000.exe PID 1956 wrote to memory of 1948 1956 0900009090000.exe MSBuild.exe PID 1956 wrote to memory of 1948 1956 0900009090000.exe MSBuild.exe PID 1956 wrote to memory of 1948 1956 0900009090000.exe MSBuild.exe PID 1956 wrote to memory of 1948 1956 0900009090000.exe MSBuild.exe PID 1956 wrote to memory of 1948 1956 0900009090000.exe MSBuild.exe PID 1956 wrote to memory of 1892 1956 0900009090000.exe 0900009090000.exe PID 1956 wrote to memory of 1892 1956 0900009090000.exe 0900009090000.exe PID 1956 wrote to memory of 1892 1956 0900009090000.exe 0900009090000.exe PID 1956 wrote to memory of 1892 1956 0900009090000.exe 0900009090000.exe PID 1892 wrote to memory of 1228 1892 0900009090000.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"5⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"6⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"8⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"9⤵
- Suspicious behavior: MapViewOfSection
PID:848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"10⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"C:\Users\Admin\AppData\Local\Temp\0900009090000.exe"10⤵PID:1324