6c7311e2b17f44d10a2e029e4dce1db59d0b19131c744bb94083baa27badb137

General

Target

R3209011873.exe
Size

555KB
MD5

4c43289546bd0ae785093cf0ef3fba6c
SHA1

8987ba13f0aa35479b67bede2c77cb241f541f77
SHA256

ef7d84f2c3326943fbc546b736b513ceab056aa47bc8146ae205d7d5eac2622e
SHA512

c98a9c2c7a4ea46e59d0daf0e674b629f3abd09a3bb715e7b8f19263482149eb4381471f51047e8568a04547f1a45bf00bea6ea4c43ab46cebcf20b092146980

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

R3209011873.exeR3209011873.exeR3209011873.exeR3209011873.exeR3209011873.exeR3209011873.exeR3209011873.exe

description	pid	process	target process
PID 1676 wrote to memory of 316	1676	R3209011873.exe	MSBuild.exe
PID 1676 wrote to memory of 316	1676	R3209011873.exe	MSBuild.exe
PID 1676 wrote to memory of 316	1676	R3209011873.exe	MSBuild.exe
PID 1676 wrote to memory of 316	1676	R3209011873.exe	MSBuild.exe
PID 1676 wrote to memory of 316	1676	R3209011873.exe	MSBuild.exe
PID 1676 wrote to memory of 316	1676	R3209011873.exe	MSBuild.exe
PID 1676 wrote to memory of 316	1676	R3209011873.exe	MSBuild.exe
PID 1676 wrote to memory of 316	1676	R3209011873.exe	MSBuild.exe
PID 1676 wrote to memory of 316	1676	R3209011873.exe	MSBuild.exe
PID 1676 wrote to memory of 1780	1676	R3209011873.exe	R3209011873.exe
PID 1676 wrote to memory of 1780	1676	R3209011873.exe	R3209011873.exe
PID 1676 wrote to memory of 1780	1676	R3209011873.exe	R3209011873.exe
PID 1676 wrote to memory of 1780	1676	R3209011873.exe	R3209011873.exe
PID 1780 wrote to memory of 1660	1780	R3209011873.exe	MSBuild.exe
PID 1780 wrote to memory of 1660	1780	R3209011873.exe	MSBuild.exe
PID 1780 wrote to memory of 1660	1780	R3209011873.exe	MSBuild.exe
PID 1780 wrote to memory of 1660	1780	R3209011873.exe	MSBuild.exe
PID 1780 wrote to memory of 1592	1780	R3209011873.exe	R3209011873.exe
PID 1780 wrote to memory of 1592	1780	R3209011873.exe	R3209011873.exe
PID 1780 wrote to memory of 1592	1780	R3209011873.exe	R3209011873.exe
PID 1780 wrote to memory of 1592	1780	R3209011873.exe	R3209011873.exe
PID 1592 wrote to memory of 1760	1592	R3209011873.exe	MSBuild.exe
PID 1592 wrote to memory of 1760	1592	R3209011873.exe	MSBuild.exe
PID 1592 wrote to memory of 1760	1592	R3209011873.exe	MSBuild.exe
PID 1592 wrote to memory of 1760	1592	R3209011873.exe	MSBuild.exe
PID 1592 wrote to memory of 1760	1592	R3209011873.exe	MSBuild.exe
PID 1592 wrote to memory of 1760	1592	R3209011873.exe	MSBuild.exe
PID 1592 wrote to memory of 1760	1592	R3209011873.exe	MSBuild.exe
PID 1592 wrote to memory of 1760	1592	R3209011873.exe	MSBuild.exe
PID 1592 wrote to memory of 1760	1592	R3209011873.exe	MSBuild.exe
PID 1592 wrote to memory of 628	1592	R3209011873.exe	R3209011873.exe
PID 1592 wrote to memory of 628	1592	R3209011873.exe	R3209011873.exe
PID 1592 wrote to memory of 628	1592	R3209011873.exe	R3209011873.exe
PID 1592 wrote to memory of 628	1592	R3209011873.exe	R3209011873.exe
PID 628 wrote to memory of 1536	628	R3209011873.exe	MSBuild.exe
PID 628 wrote to memory of 1536	628	R3209011873.exe	MSBuild.exe
PID 628 wrote to memory of 1536	628	R3209011873.exe	MSBuild.exe
PID 628 wrote to memory of 1536	628	R3209011873.exe	MSBuild.exe
PID 628 wrote to memory of 1524	628	R3209011873.exe	R3209011873.exe
PID 628 wrote to memory of 1524	628	R3209011873.exe	R3209011873.exe
PID 628 wrote to memory of 1524	628	R3209011873.exe	R3209011873.exe
PID 628 wrote to memory of 1524	628	R3209011873.exe	R3209011873.exe
PID 1524 wrote to memory of 956	1524	R3209011873.exe	MSBuild.exe
PID 1524 wrote to memory of 956	1524	R3209011873.exe	MSBuild.exe
PID 1524 wrote to memory of 956	1524	R3209011873.exe	MSBuild.exe
PID 1524 wrote to memory of 956	1524	R3209011873.exe	MSBuild.exe
PID 1524 wrote to memory of 1712	1524	R3209011873.exe	R3209011873.exe
PID 1524 wrote to memory of 1712	1524	R3209011873.exe	R3209011873.exe
PID 1524 wrote to memory of 1712	1524	R3209011873.exe	R3209011873.exe
PID 1524 wrote to memory of 1712	1524	R3209011873.exe	R3209011873.exe
PID 1712 wrote to memory of 1288	1712	R3209011873.exe	MSBuild.exe
PID 1712 wrote to memory of 1288	1712	R3209011873.exe	MSBuild.exe
PID 1712 wrote to memory of 1288	1712	R3209011873.exe	MSBuild.exe
PID 1712 wrote to memory of 1288	1712	R3209011873.exe	MSBuild.exe
PID 1712 wrote to memory of 1288	1712	R3209011873.exe	MSBuild.exe
PID 1712 wrote to memory of 1288	1712	R3209011873.exe	MSBuild.exe
PID 1712 wrote to memory of 1288	1712	R3209011873.exe	MSBuild.exe
PID 1712 wrote to memory of 1288	1712	R3209011873.exe	MSBuild.exe
PID 1712 wrote to memory of 1288	1712	R3209011873.exe	MSBuild.exe
PID 1712 wrote to memory of 1764	1712	R3209011873.exe	R3209011873.exe
PID 1712 wrote to memory of 1764	1712	R3209011873.exe	R3209011873.exe
PID 1712 wrote to memory of 1764	1712	R3209011873.exe	R3209011873.exe
PID 1712 wrote to memory of 1764	1712	R3209011873.exe	R3209011873.exe
PID 1764 wrote to memory of 112	1764	R3209011873.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
2⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
3⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
4⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
5⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
6⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
7⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
8⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
8⤵
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
9⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
9⤵
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
10⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
10⤵
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
11⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
11⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
12⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
12⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
13⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
13⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
14⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
14⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
15⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\R3209011873.exe
"C:\Users\Admin\AppData\Local\Temp\R3209011873.exe"
15⤵
PID:1928

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-66-0x0000000000000000-mapping.dmp

Download
memory/628-59-0x0000000000000000-mapping.dmp

Download
memory/628-60-0x0000000000E40000-0x0000000000ECE000-memory.dmp

Filesize
568KB

Download
memory/1164-69-0x0000000000000000-mapping.dmp

Download
memory/1524-61-0x0000000000000000-mapping.dmp

Download
memory/1540-65-0x0000000000000000-mapping.dmp

Download
memory/1548-70-0x0000000000000000-mapping.dmp

Download
memory/1592-58-0x0000000000E40000-0x0000000000ECE000-memory.dmp

Filesize
568KB

Download
memory/1592-57-0x0000000000000000-mapping.dmp

Download
memory/1676-54-0x0000000000E40000-0x0000000000ECE000-memory.dmp

Filesize
568KB

Download
memory/1708-71-0x0000000000000000-mapping.dmp

Download
memory/1712-62-0x0000000000000000-mapping.dmp

Download
memory/1712-63-0x0000000000E40000-0x0000000000ECE000-memory.dmp

Filesize
568KB

Download
memory/1764-64-0x0000000000000000-mapping.dmp

Download
memory/1780-56-0x0000000000E40000-0x0000000000ECE000-memory.dmp

Filesize
568KB

Download
memory/1780-55-0x0000000000000000-mapping.dmp

Download
memory/1788-68-0x0000000000000000-mapping.dmp

Download
memory/1896-67-0x0000000000000000-mapping.dmp

Download
memory/1928-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads