687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf

General

Target

687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
Size

668KB
MD5

f52ca29e6654da78370289212d5117f9
SHA1

2d0d029673966c5c98ff836f9c1a65d3826e91e6
SHA256

687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf
SHA512

bb59acd8547fc69a19b9bd29a490b72ee248c8a57d5005b332cec45644f43cb4625f20099b2ac92b7cd0571bc350ad2c1513066b87afd15ea0121522d26169e9

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe

description	pid	process	target process
PID 1220 wrote to memory of 1864	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1220 wrote to memory of 1864	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1220 wrote to memory of 1864	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1220 wrote to memory of 1864	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1220 wrote to memory of 1864	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1220 wrote to memory of 1864	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1220 wrote to memory of 1864	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1220 wrote to memory of 1864	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1220 wrote to memory of 1864	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1220 wrote to memory of 944	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 1220 wrote to memory of 944	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 1220 wrote to memory of 944	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 1220 wrote to memory of 944	1220	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 944 wrote to memory of 1652	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 944 wrote to memory of 1652	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 944 wrote to memory of 1652	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 944 wrote to memory of 1652	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 944 wrote to memory of 1652	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 944 wrote to memory of 1652	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 944 wrote to memory of 1652	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 944 wrote to memory of 1652	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 944 wrote to memory of 1652	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 944 wrote to memory of 1628	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 944 wrote to memory of 1628	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 944 wrote to memory of 1628	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 944 wrote to memory of 1628	944	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 1628 wrote to memory of 316	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1628 wrote to memory of 316	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1628 wrote to memory of 316	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1628 wrote to memory of 316	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1628 wrote to memory of 316	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1628 wrote to memory of 316	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1628 wrote to memory of 316	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1628 wrote to memory of 316	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1628 wrote to memory of 316	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1628 wrote to memory of 1568	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 1628 wrote to memory of 1568	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 1628 wrote to memory of 1568	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 1628 wrote to memory of 1568	1628	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 1568 wrote to memory of 2024	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1568 wrote to memory of 2024	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1568 wrote to memory of 2024	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1568 wrote to memory of 2024	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1568 wrote to memory of 2024	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1568 wrote to memory of 2024	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1568 wrote to memory of 2024	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1568 wrote to memory of 2024	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1568 wrote to memory of 2024	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 1568 wrote to memory of 688	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 1568 wrote to memory of 688	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 1568 wrote to memory of 688	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 1568 wrote to memory of 688	1568	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 688 wrote to memory of 768	688	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 688 wrote to memory of 768	688	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 688 wrote to memory of 768	688	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 688 wrote to memory of 768	688	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 688 wrote to memory of 768	688	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 688 wrote to memory of 768	688	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 688 wrote to memory of 768	688	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 688 wrote to memory of 768	688	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 688 wrote to memory of 768	688	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	MSBuild.exe
PID 688 wrote to memory of 1100	688	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 688 wrote to memory of 1100	688	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
PID 688 wrote to memory of 1100	688	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe	687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe

C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
"C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe"
2⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
"C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe"
3⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
"C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe"
4⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
"C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe"
5⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
"C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe"
6⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe
"C:\Users\Admin\AppData\Local\Temp\687f82ebf8ec4f6228e56174d85062d2e3c3c12250aa7479b67810d5240148bf.exe"
6⤵
PID:1100

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/688-65-0x0000000000000000-mapping.dmp

Download
memory/688-67-0x00000000010E0000-0x000000000111F000-memory.dmp

Filesize
252KB

Download
memory/944-56-0x0000000000000000-mapping.dmp

Download
memory/944-58-0x00000000010E0000-0x000000000111F000-memory.dmp

Filesize
252KB

Download
memory/1100-68-0x0000000000000000-mapping.dmp

Download
memory/1100-70-0x00000000010E0000-0x000000000111F000-memory.dmp

Filesize
252KB

Download
memory/1220-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1220-55-0x00000000010E0000-0x000000000111F000-memory.dmp

Filesize
252KB

Download
memory/1568-62-0x0000000000000000-mapping.dmp

Download
memory/1568-64-0x00000000010E0000-0x000000000111F000-memory.dmp

Filesize
252KB

Download
memory/1628-59-0x0000000000000000-mapping.dmp

Download
memory/1628-61-0x00000000010E0000-0x000000000111F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing