5135acb4869394c48a11cd709be73b99085c066bb7a664902e96811b7b41a837

General

Target

8980000809000.exe
Size

619KB
MD5

e04d66f39776231b5b159a053a2b114a
SHA1

c9294ca3bb3401882d1af4d740726deda066e091
SHA256

fbcf45a88ba1f036c2e124ec1939b8e94ffcee01e56e736553938ff4ba5a0dee
SHA512

f965db86ca20748afaafd197ea9c14ed9ad13bad76c33b9300cb81b1db95307421ddb17048550ef118457e9dfd96d2acb93c426447c36c361bed321fbef11c28

Score

1^/10

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 12 IoCs

Processes:

8980000809000.exe8980000809000.exe8980000809000.exe8980000809000.exe8980000809000.exe8980000809000.exe8980000809000.exe8980000809000.exe8980000809000.exe

pid	process
1808	8980000809000.exe
1808	8980000809000.exe
1424	8980000809000.exe
1264	8980000809000.exe
2032	8980000809000.exe
1268	8980000809000.exe
1716	8980000809000.exe
1548	8980000809000.exe
1548	8980000809000.exe
1692	8980000809000.exe
364	8980000809000.exe
364	8980000809000.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8980000809000.exe8980000809000.exe8980000809000.exe8980000809000.exe8980000809000.exe8980000809000.exe8980000809000.exe8980000809000.exe

description	pid	process	target process
PID 1808 wrote to memory of 1948	1808	8980000809000.exe	MSBuild.exe
PID 1808 wrote to memory of 1948	1808	8980000809000.exe	MSBuild.exe
PID 1808 wrote to memory of 1948	1808	8980000809000.exe	MSBuild.exe
PID 1808 wrote to memory of 1948	1808	8980000809000.exe	MSBuild.exe
PID 1808 wrote to memory of 1948	1808	8980000809000.exe	MSBuild.exe
PID 1808 wrote to memory of 1424	1808	8980000809000.exe	8980000809000.exe
PID 1808 wrote to memory of 1424	1808	8980000809000.exe	8980000809000.exe
PID 1808 wrote to memory of 1424	1808	8980000809000.exe	8980000809000.exe
PID 1808 wrote to memory of 1424	1808	8980000809000.exe	8980000809000.exe
PID 1424 wrote to memory of 832	1424	8980000809000.exe	MSBuild.exe
PID 1424 wrote to memory of 832	1424	8980000809000.exe	MSBuild.exe
PID 1424 wrote to memory of 832	1424	8980000809000.exe	MSBuild.exe
PID 1424 wrote to memory of 832	1424	8980000809000.exe	MSBuild.exe
PID 1424 wrote to memory of 832	1424	8980000809000.exe	MSBuild.exe
PID 1424 wrote to memory of 1264	1424	8980000809000.exe	8980000809000.exe
PID 1424 wrote to memory of 1264	1424	8980000809000.exe	8980000809000.exe
PID 1424 wrote to memory of 1264	1424	8980000809000.exe	8980000809000.exe
PID 1424 wrote to memory of 1264	1424	8980000809000.exe	8980000809000.exe
PID 1264 wrote to memory of 1932	1264	8980000809000.exe	MSBuild.exe
PID 1264 wrote to memory of 1932	1264	8980000809000.exe	MSBuild.exe
PID 1264 wrote to memory of 1932	1264	8980000809000.exe	MSBuild.exe
PID 1264 wrote to memory of 1932	1264	8980000809000.exe	MSBuild.exe
PID 1264 wrote to memory of 1932	1264	8980000809000.exe	MSBuild.exe
PID 1264 wrote to memory of 2032	1264	8980000809000.exe	8980000809000.exe
PID 1264 wrote to memory of 2032	1264	8980000809000.exe	8980000809000.exe
PID 1264 wrote to memory of 2032	1264	8980000809000.exe	8980000809000.exe
PID 1264 wrote to memory of 2032	1264	8980000809000.exe	8980000809000.exe
PID 2032 wrote to memory of 1136	2032	8980000809000.exe	MSBuild.exe
PID 2032 wrote to memory of 1136	2032	8980000809000.exe	MSBuild.exe
PID 2032 wrote to memory of 1136	2032	8980000809000.exe	MSBuild.exe
PID 2032 wrote to memory of 1136	2032	8980000809000.exe	MSBuild.exe
PID 2032 wrote to memory of 1136	2032	8980000809000.exe	MSBuild.exe
PID 2032 wrote to memory of 1268	2032	8980000809000.exe	8980000809000.exe
PID 2032 wrote to memory of 1268	2032	8980000809000.exe	8980000809000.exe
PID 2032 wrote to memory of 1268	2032	8980000809000.exe	8980000809000.exe
PID 2032 wrote to memory of 1268	2032	8980000809000.exe	8980000809000.exe
PID 1268 wrote to memory of 808	1268	8980000809000.exe	MSBuild.exe
PID 1268 wrote to memory of 808	1268	8980000809000.exe	MSBuild.exe
PID 1268 wrote to memory of 808	1268	8980000809000.exe	MSBuild.exe
PID 1268 wrote to memory of 808	1268	8980000809000.exe	MSBuild.exe
PID 1268 wrote to memory of 808	1268	8980000809000.exe	MSBuild.exe
PID 1268 wrote to memory of 1716	1268	8980000809000.exe	8980000809000.exe
PID 1268 wrote to memory of 1716	1268	8980000809000.exe	8980000809000.exe
PID 1268 wrote to memory of 1716	1268	8980000809000.exe	8980000809000.exe
PID 1268 wrote to memory of 1716	1268	8980000809000.exe	8980000809000.exe
PID 1716 wrote to memory of 520	1716	8980000809000.exe	MSBuild.exe
PID 1716 wrote to memory of 520	1716	8980000809000.exe	MSBuild.exe
PID 1716 wrote to memory of 520	1716	8980000809000.exe	MSBuild.exe
PID 1716 wrote to memory of 520	1716	8980000809000.exe	MSBuild.exe
PID 1716 wrote to memory of 520	1716	8980000809000.exe	MSBuild.exe
PID 1716 wrote to memory of 1548	1716	8980000809000.exe	8980000809000.exe
PID 1716 wrote to memory of 1548	1716	8980000809000.exe	8980000809000.exe
PID 1716 wrote to memory of 1548	1716	8980000809000.exe	8980000809000.exe
PID 1716 wrote to memory of 1548	1716	8980000809000.exe	8980000809000.exe
PID 1548 wrote to memory of 1916	1548	8980000809000.exe	MSBuild.exe
PID 1548 wrote to memory of 1916	1548	8980000809000.exe	MSBuild.exe
PID 1548 wrote to memory of 1916	1548	8980000809000.exe	MSBuild.exe
PID 1548 wrote to memory of 1916	1548	8980000809000.exe	MSBuild.exe
PID 1548 wrote to memory of 1916	1548	8980000809000.exe	MSBuild.exe
PID 1548 wrote to memory of 1692	1548	8980000809000.exe	8980000809000.exe
PID 1548 wrote to memory of 1692	1548	8980000809000.exe	8980000809000.exe
PID 1548 wrote to memory of 1692	1548	8980000809000.exe	8980000809000.exe
PID 1548 wrote to memory of 1692	1548	8980000809000.exe	8980000809000.exe
PID 1692 wrote to memory of 280	1692	8980000809000.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\8980000809000.exe
"C:\Users\Admin\AppData\Local\Temp\8980000809000.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\8980000809000.exe
"C:\Users\Admin\AppData\Local\Temp\8980000809000.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\8980000809000.exe
"C:\Users\Admin\AppData\Local\Temp\8980000809000.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\8980000809000.exe
"C:\Users\Admin\AppData\Local\Temp\8980000809000.exe"
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
5⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\8980000809000.exe
"C:\Users\Admin\AppData\Local\Temp\8980000809000.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\8980000809000.exe
"C:\Users\Admin\AppData\Local\Temp\8980000809000.exe"
6⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
7⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\8980000809000.exe
"C:\Users\Admin\AppData\Local\Temp\8980000809000.exe"
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
8⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\8980000809000.exe
"C:\Users\Admin\AppData\Local\Temp\8980000809000.exe"
8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
9⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\8980000809000.exe
"C:\Users\Admin\AppData\Local\Temp\8980000809000.exe"
9⤵
- Suspicious behavior: MapViewOfSection
PID:364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
10⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\8980000809000.exe
"C:\Users\Admin\AppData\Local\Temp\8980000809000.exe"
10⤵
PID:1856

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-70-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/364-69-0x0000000000000000-mapping.dmp

Download
memory/1264-58-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/1264-57-0x0000000000000000-mapping.dmp

Download
memory/1268-62-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/1268-61-0x0000000000000000-mapping.dmp

Download
memory/1424-55-0x0000000000000000-mapping.dmp

Download
memory/1424-56-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/1548-65-0x0000000000000000-mapping.dmp

Download
memory/1548-66-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/1692-68-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/1692-67-0x0000000000000000-mapping.dmp

Download
memory/1716-64-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/1716-63-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/1856-71-0x0000000000000000-mapping.dmp

Download
memory/1856-72-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/2032-59-0x0000000000000000-mapping.dmp

Download
memory/2032-60-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing