36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31

General

Target

36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exe
Size

790KB
MD5

c31ef7aefa08862def40cd90a0197e83
SHA1

954a3553f9a2e59edc2d818fe6676cfb9053fbf4
SHA256

36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31
SHA512

657dd644c3cb15bbe0ca3dcefa8265e4dadf28b4ccda4421ed4c946535882732f79c6f18727af6911320ee110c6e56615e90fa355cfd2e1b94de7773031400d0

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exe

description	pid	process	target process
PID 4192 set thread context of 4752	4192	36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

652 powershell.exe
652 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exe

pid process

4192 36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 652 powershell.exe

pid	process
652	powershell.exe
652	powershell.exe

pid	process
4192	36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exe

description	pid	process
Token: SeDebugPrivilege	652	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exeRegAsm.execmd.exe

description	pid	process	target process
PID 4192 wrote to memory of 4752	4192	36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exe	RegAsm.exe
PID 4192 wrote to memory of 4752	4192	36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exe	RegAsm.exe
PID 4192 wrote to memory of 4752	4192	36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exe	RegAsm.exe
PID 4192 wrote to memory of 4752	4192	36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exe	RegAsm.exe
PID 4752 wrote to memory of 1572	4752	RegAsm.exe	cmd.exe
PID 4752 wrote to memory of 1572	4752	RegAsm.exe	cmd.exe
PID 4752 wrote to memory of 1572	4752	RegAsm.exe	cmd.exe
PID 1572 wrote to memory of 652	1572	cmd.exe	powershell.exe
PID 1572 wrote to memory of 652	1572	cmd.exe	powershell.exe
PID 1572 wrote to memory of 652	1572	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exe
"C:\Users\Admin\AppData\Local\Temp\36489e691b7ecb8dac7db354a4541417f045bb164db520387a4794ce7dfcce31.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-140-0x00000000051F0000-0x0000000005226000-memory.dmp

Filesize
216KB

Download
memory/652-148-0x0000000007820000-0x0000000007842000-memory.dmp

Filesize
136KB

Download
memory/652-147-0x00000000078C0000-0x0000000007956000-memory.dmp

Filesize
600KB

Download
memory/652-146-0x0000000006B90000-0x0000000006BAA000-memory.dmp

Filesize
104KB

Download
memory/652-145-0x0000000007C20000-0x000000000829A000-memory.dmp

Filesize
6.5MB

Download
memory/652-144-0x00000000058A0000-0x00000000058BE000-memory.dmp

Filesize
120KB

Download
memory/652-143-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/652-142-0x0000000005810000-0x0000000005832000-memory.dmp

Filesize
136KB

Download
memory/652-141-0x0000000005930000-0x0000000005F58000-memory.dmp

Filesize
6.2MB

Download
memory/652-139-0x0000000000000000-mapping.dmp

Download
memory/1572-138-0x0000000000000000-mapping.dmp

Download
memory/4192-130-0x0000000000F70000-0x000000000103E000-memory.dmp

Filesize
824KB

Download
memory/4192-132-0x0000000001700000-0x0000000001703000-memory.dmp

Filesize
12KB

Download
memory/4752-137-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/4752-136-0x0000000005780000-0x000000000581C000-memory.dmp

Filesize
624KB

Download
memory/4752-135-0x0000000005C90000-0x0000000006234000-memory.dmp

Filesize
5.6MB

Download
memory/4752-134-0x00000000052C0000-0x0000000005326000-memory.dmp

Filesize
408KB

Download
memory/4752-133-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4752-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing