2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e

General

Target

2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
Size

537KB
MD5

daaea507a91d60d4f3181affc9d2ffeb
SHA1

1bcba07eefde83737919533ce77c477e0b10dda0
SHA256

2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e
SHA512

2f98f0ab1548026ce3e3f3b413f80efe62cbf3a7a99668c44a35be5140de5b78131c347ca3af1bd4ac90d78e73e64ac5358e0daafc40ebb902597c092ee06e53

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe

description	pid	process	target process
PID 1472 wrote to memory of 904	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1472 wrote to memory of 904	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1472 wrote to memory of 904	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1472 wrote to memory of 904	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1472 wrote to memory of 904	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1472 wrote to memory of 904	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1472 wrote to memory of 904	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1472 wrote to memory of 904	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1472 wrote to memory of 904	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1472 wrote to memory of 276	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 1472 wrote to memory of 276	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 1472 wrote to memory of 276	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 1472 wrote to memory of 276	1472	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 276 wrote to memory of 1584	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 276 wrote to memory of 1584	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 276 wrote to memory of 1584	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 276 wrote to memory of 1584	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 276 wrote to memory of 1584	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 276 wrote to memory of 1584	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 276 wrote to memory of 1584	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 276 wrote to memory of 1584	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 276 wrote to memory of 1584	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 276 wrote to memory of 1676	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 276 wrote to memory of 1676	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 276 wrote to memory of 1676	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 276 wrote to memory of 1676	276	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 1676 wrote to memory of 1732	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1676 wrote to memory of 1732	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1676 wrote to memory of 1732	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1676 wrote to memory of 1732	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1676 wrote to memory of 1732	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1676 wrote to memory of 1732	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1676 wrote to memory of 1732	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1676 wrote to memory of 1732	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1676 wrote to memory of 1732	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1676 wrote to memory of 1680	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 1676 wrote to memory of 1680	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 1676 wrote to memory of 1680	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 1676 wrote to memory of 1680	1676	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 1680 wrote to memory of 1208	1680	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1680 wrote to memory of 1208	1680	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1680 wrote to memory of 1208	1680	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1680 wrote to memory of 1208	1680	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 1680 wrote to memory of 836	1680	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 1680 wrote to memory of 836	1680	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 1680 wrote to memory of 836	1680	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 1680 wrote to memory of 836	1680	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 836 wrote to memory of 524	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 836 wrote to memory of 524	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 836 wrote to memory of 524	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 836 wrote to memory of 524	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 836 wrote to memory of 524	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 836 wrote to memory of 524	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 836 wrote to memory of 524	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 836 wrote to memory of 524	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 836 wrote to memory of 524	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 836 wrote to memory of 320	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 836 wrote to memory of 320	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 836 wrote to memory of 320	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 836 wrote to memory of 320	836	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
PID 320 wrote to memory of 1700	320	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 320 wrote to memory of 1700	320	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 320 wrote to memory of 1700	320	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe
PID 320 wrote to memory of 1700	320	2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
2⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
3⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
4⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
5⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
6⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
7⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
7⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
8⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
8⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
9⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe
"C:\Users\Admin\AppData\Local\Temp\2f677e930c980bdc2d858e7e9d19041638a575e2edcf5ad6b88503251c4b739e.exe"
9⤵
PID:1112

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/276-55-0x0000000000000000-mapping.dmp

Download
memory/276-56-0x0000000000EC0000-0x0000000000EDC000-memory.dmp

Filesize
112KB

Download
memory/320-63-0x0000000000000000-mapping.dmp

Download
memory/320-64-0x0000000000EC0000-0x0000000000EDC000-memory.dmp

Filesize
112KB

Download
memory/836-61-0x0000000000000000-mapping.dmp

Download
memory/836-62-0x0000000000EC0000-0x0000000000EDC000-memory.dmp

Filesize
112KB

Download
memory/1112-70-0x0000000000EC0000-0x0000000000EDC000-memory.dmp

Filesize
112KB

Download
memory/1112-69-0x0000000000000000-mapping.dmp

Download
memory/1472-54-0x0000000000EC0000-0x0000000000EDC000-memory.dmp

Filesize
112KB

Download
memory/1632-66-0x0000000000EC0000-0x0000000000EDC000-memory.dmp

Filesize
112KB

Download
memory/1632-65-0x0000000000000000-mapping.dmp

Download
memory/1676-58-0x0000000000EC0000-0x0000000000EDC000-memory.dmp

Filesize
112KB

Download
memory/1676-57-0x0000000000000000-mapping.dmp

Download
memory/1680-60-0x0000000000EC0000-0x0000000000EDC000-memory.dmp

Filesize
112KB

Download
memory/1680-59-0x0000000000000000-mapping.dmp

Download
memory/2000-67-0x0000000000000000-mapping.dmp

Download
memory/2000-68-0x0000000000EC0000-0x0000000000EDC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing