e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
02-05-2022 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe
Size

371KB
MD5

2d7a149c2065bf05c3d3fc056a80cd2b
SHA1

cec31a5b837314d47c911b96e44039b64f4831be
SHA256

e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81
SHA512

dff6515cdad12c2d65abcf20c707b058cb350caf419afd05f1e53e66c8d58b6cb8210ae59018d3667e0dbbad31816d8e170087735950f979841bf3376e778dae

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 1304	1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	27
PID 1304 set thread context of 1780	1304	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	28
PID 1780 set thread context of 688	1780	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	29
PID 688 set thread context of 1340	688	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	30
PID 1340 set thread context of 1908	1340	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe
1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1304	1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	27
PID 1684 wrote to memory of 1304	1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	27
PID 1684 wrote to memory of 1304	1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	27
PID 1684 wrote to memory of 1304	1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	27
PID 1684 wrote to memory of 1304	1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	27
PID 1684 wrote to memory of 1304	1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	27
PID 1684 wrote to memory of 1304	1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	27
PID 1684 wrote to memory of 1304	1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	27
PID 1684 wrote to memory of 1304	1684	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	27
PID 1304 wrote to memory of 1780	1304	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	28
PID 1304 wrote to memory of 1780	1304	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	28
PID 1304 wrote to memory of 1780	1304	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	28
PID 1304 wrote to memory of 1780	1304	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	28
PID 1304 wrote to memory of 1780	1304	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	28
PID 1304 wrote to memory of 1780	1304	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	28
PID 1304 wrote to memory of 1780	1304	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	28
PID 1304 wrote to memory of 1780	1304	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	28
PID 1304 wrote to memory of 1780	1304	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	28
PID 1780 wrote to memory of 688	1780	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	29
PID 1780 wrote to memory of 688	1780	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	29
PID 1780 wrote to memory of 688	1780	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	29
PID 1780 wrote to memory of 688	1780	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	29
PID 1780 wrote to memory of 688	1780	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	29
PID 1780 wrote to memory of 688	1780	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	29
PID 1780 wrote to memory of 688	1780	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	29
PID 1780 wrote to memory of 688	1780	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	29
PID 1780 wrote to memory of 688	1780	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	29
PID 688 wrote to memory of 1340	688	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	30
PID 688 wrote to memory of 1340	688	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	30
PID 688 wrote to memory of 1340	688	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	30
PID 688 wrote to memory of 1340	688	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	30
PID 688 wrote to memory of 1340	688	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	30
PID 688 wrote to memory of 1340	688	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	30
PID 688 wrote to memory of 1340	688	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	30
PID 688 wrote to memory of 1340	688	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	30
PID 688 wrote to memory of 1340	688	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	30
PID 1340 wrote to memory of 1908	1340	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	31
PID 1340 wrote to memory of 1908	1340	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	31
PID 1340 wrote to memory of 1908	1340	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	31
PID 1340 wrote to memory of 1908	1340	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	31
PID 1340 wrote to memory of 1908	1340	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	31
PID 1340 wrote to memory of 1908	1340	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	31
PID 1340 wrote to memory of 1908	1340	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	31
PID 1340 wrote to memory of 1908	1340	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	31
PID 1340 wrote to memory of 1908	1340	e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe	31

C:\Users\Admin\AppData\Local\Temp\e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe
"C:\Users\Admin\AppData\Local\Temp\e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe
  "C:\Users\Admin\AppData\Local\Temp\e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe
    "C:\Users\Admin\AppData\Local\Temp\e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe
      "C:\Users\Admin\AppData\Local\Temp\e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:688
    - - C:\Users\Admin\AppData\Local\Temp\e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Users\Admin\AppData\Local\Temp\e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3025b92ca323fe6dc93a50edd16f8e0fa66a29f3a74b70266a6fbb0bef6cc81.exe"
        6⤵
        
        PID:1908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/688-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-67-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1304-65-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1304-68-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/1304-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1304-58-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1304-60-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1304-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1304-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1340-91-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1340-101-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1340-99-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1340-96-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1340-95-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1340-94-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1340-92-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1684-54-0x0000000000A70000-0x0000000000AD6000-memory.dmp

Filesize
408KB

Download
memory/1684-56-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/1684-55-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1780-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1780-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1780-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1780-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1780-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1780-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1780-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1908-102-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1908-103-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1908-105-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1908-106-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1908-107-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1908-110-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download