a9f6f4a036a29fa164f0f74cef5fb57171ad599e04ec25b02a78c59cdcdecdd3

General

Target

4797508E2-20F2-42C-879A-1C35.exe
Size

628KB
MD5

6a44a7c90b737edd4143bd8332a61f11
SHA1

f9b37b7558a73bee19865141964687c53d3808db
SHA256

bc3d62c45c60396f1896ca688f72acc91af5412bedd3d1c7ec3f6b1e3891f198
SHA512

319ef283cce7d0a0c30d5c8a72c701bdcbe1a311a51b0b411710a2e56e191283e430a6082c907cccffcd95cc5a26761c8d4eeae6ac6d424c38d80a1e41d6cb6d

Score

1^/10

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 17 IoCs

Processes:

4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe

pid	process
888	4797508E2-20F2-42C-879A-1C35.exe
948	4797508E2-20F2-42C-879A-1C35.exe
948	4797508E2-20F2-42C-879A-1C35.exe
1312	4797508E2-20F2-42C-879A-1C35.exe
1172	4797508E2-20F2-42C-879A-1C35.exe
1172	4797508E2-20F2-42C-879A-1C35.exe
1216	4797508E2-20F2-42C-879A-1C35.exe
1960	4797508E2-20F2-42C-879A-1C35.exe
2008	4797508E2-20F2-42C-879A-1C35.exe
2008	4797508E2-20F2-42C-879A-1C35.exe
320	4797508E2-20F2-42C-879A-1C35.exe
1236	4797508E2-20F2-42C-879A-1C35.exe
820	4797508E2-20F2-42C-879A-1C35.exe
820	4797508E2-20F2-42C-879A-1C35.exe
1692	4797508E2-20F2-42C-879A-1C35.exe
1692	4797508E2-20F2-42C-879A-1C35.exe
632	4797508E2-20F2-42C-879A-1C35.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe4797508E2-20F2-42C-879A-1C35.exe

description	pid	process	target process
PID 888 wrote to memory of 1492	888	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 888 wrote to memory of 1492	888	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 888 wrote to memory of 1492	888	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 888 wrote to memory of 1492	888	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 888 wrote to memory of 1492	888	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 888 wrote to memory of 948	888	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 888 wrote to memory of 948	888	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 888 wrote to memory of 948	888	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 888 wrote to memory of 948	888	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 948 wrote to memory of 1404	948	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 948 wrote to memory of 1404	948	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 948 wrote to memory of 1404	948	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 948 wrote to memory of 1404	948	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 948 wrote to memory of 1404	948	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 948 wrote to memory of 1312	948	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 948 wrote to memory of 1312	948	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 948 wrote to memory of 1312	948	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 948 wrote to memory of 1312	948	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1312 wrote to memory of 1332	1312	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1312 wrote to memory of 1332	1312	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1312 wrote to memory of 1332	1312	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1312 wrote to memory of 1332	1312	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1312 wrote to memory of 1332	1312	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1312 wrote to memory of 1172	1312	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1312 wrote to memory of 1172	1312	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1312 wrote to memory of 1172	1312	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1312 wrote to memory of 1172	1312	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1172 wrote to memory of 1224	1172	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1172 wrote to memory of 1224	1172	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1172 wrote to memory of 1224	1172	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1172 wrote to memory of 1224	1172	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1172 wrote to memory of 1224	1172	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1172 wrote to memory of 1216	1172	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1172 wrote to memory of 1216	1172	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1172 wrote to memory of 1216	1172	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1172 wrote to memory of 1216	1172	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1216 wrote to memory of 832	1216	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1216 wrote to memory of 832	1216	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1216 wrote to memory of 832	1216	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1216 wrote to memory of 832	1216	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1216 wrote to memory of 832	1216	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1216 wrote to memory of 1960	1216	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1216 wrote to memory of 1960	1216	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1216 wrote to memory of 1960	1216	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1216 wrote to memory of 1960	1216	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1960 wrote to memory of 1948	1960	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1960 wrote to memory of 1948	1960	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1960 wrote to memory of 1948	1960	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1960 wrote to memory of 1948	1960	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1960 wrote to memory of 1948	1960	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 1960 wrote to memory of 2008	1960	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1960 wrote to memory of 2008	1960	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1960 wrote to memory of 2008	1960	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 1960 wrote to memory of 2008	1960	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 2008 wrote to memory of 376	2008	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 2008 wrote to memory of 376	2008	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 2008 wrote to memory of 376	2008	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 2008 wrote to memory of 376	2008	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 2008 wrote to memory of 376	2008	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe
PID 2008 wrote to memory of 320	2008	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 2008 wrote to memory of 320	2008	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 2008 wrote to memory of 320	2008	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 2008 wrote to memory of 320	2008	4797508E2-20F2-42C-879A-1C35.exe	4797508E2-20F2-42C-879A-1C35.exe
PID 320 wrote to memory of 668	320	4797508E2-20F2-42C-879A-1C35.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
5⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
6⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
7⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
8⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
9⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
9⤵
- Suspicious behavior: MapViewOfSection
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
10⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
10⤵
- Suspicious behavior: MapViewOfSection
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
11⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
11⤵
- Suspicious behavior: MapViewOfSection
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
12⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
12⤵
- Suspicious behavior: MapViewOfSection
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
13⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe
"C:\Users\Admin\AppData\Local\Temp\4797508E2-20F2-42C-879A-1C35.exe"
13⤵
PID:1048

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-67-0x0000000000000000-mapping.dmp

Download
memory/320-68-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/632-76-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/632-75-0x0000000000000000-mapping.dmp

Download
memory/820-72-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/820-71-0x0000000000000000-mapping.dmp

Download
memory/888-54-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/948-55-0x0000000000000000-mapping.dmp

Download
memory/948-56-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/1048-78-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/1048-77-0x0000000000000000-mapping.dmp

Download
memory/1172-60-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/1172-59-0x0000000000000000-mapping.dmp

Download
memory/1216-61-0x0000000000000000-mapping.dmp

Download
memory/1216-62-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/1236-69-0x0000000000000000-mapping.dmp

Download
memory/1236-70-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/1312-58-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/1312-57-0x0000000000000000-mapping.dmp

Download
memory/1692-73-0x0000000000000000-mapping.dmp

Download
memory/1692-74-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/1960-64-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/1960-63-0x0000000000000000-mapping.dmp

Download
memory/2008-66-0x00000000011B0000-0x00000000011E5000-memory.dmp

Filesize
212KB

Download
memory/2008-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing