95194602842b66bfa515dc2b260b09e45b7024334d5a07bd4ffeb3079d4e6348

General

Target

sososos.exe
Size

1.1MB
MD5

4274297082755d98b9d07fad46dd9f33
SHA1

28a1a56d03bba60df0da5151c854759b477c40ad
SHA256

6cf454ec0892e0367356ae674e93612f1c23d9c99874d8ff7de7d77055cbf9c6
SHA512

f227836df848cfcf5da9de949a5f9986ddecd843a5484b9eab868d57357248541dc9307e9e4c057d0a2fd85166a1026a45f4e31b7ffbdaa6cc9aa84a9387d26a

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sososososos.vbs notepad.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

sososos.exe

description pid process target process

PID 3216 set thread context of 4704 3216 sososos.exe sososos.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

sososos.exesososos.exepowershell.exe

pid process

3216 sososos.exe
3216 sososos.exe
4704 sososos.exe
4704 sososos.exe
316 powershell.exe
316 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sososos.exe

pid process

3216 sososos.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

sososos.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4704 sososos.exe
Token: SeDebugPrivilege 316 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sososososos.vbs	notepad.exe

description	pid	process	target process
PID 3216 set thread context of 4704	3216	sososos.exe	sososos.exe

pid	process
3216	sososos.exe
3216	sososos.exe
4704	sososos.exe
4704	sososos.exe
316	powershell.exe
316	powershell.exe

pid	process
3216	sososos.exe

description	pid	process
Token: SeDebugPrivilege	4704	sososos.exe
Token: SeDebugPrivilege	316	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

sososos.exesososos.execmd.exe

description	pid	process	target process
PID 3216 wrote to memory of 2440	3216	sososos.exe	notepad.exe
PID 3216 wrote to memory of 2440	3216	sososos.exe	notepad.exe
PID 3216 wrote to memory of 2440	3216	sososos.exe	notepad.exe
PID 3216 wrote to memory of 2440	3216	sososos.exe	notepad.exe
PID 3216 wrote to memory of 2440	3216	sososos.exe	notepad.exe
PID 3216 wrote to memory of 4704	3216	sososos.exe	sososos.exe
PID 3216 wrote to memory of 4704	3216	sososos.exe	sososos.exe
PID 3216 wrote to memory of 4704	3216	sososos.exe	sososos.exe
PID 4704 wrote to memory of 1688	4704	sososos.exe	cmd.exe
PID 4704 wrote to memory of 1688	4704	sososos.exe	cmd.exe
PID 4704 wrote to memory of 1688	4704	sososos.exe	cmd.exe
PID 1688 wrote to memory of 316	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 316	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 316	1688	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\sososos.exe
"C:\Users\Admin\AppData\Local\Temp\sososos.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
PID:2440

C:\Users\Admin\AppData\Local\Temp\sososos.exe
"C:\Users\Admin\AppData\Local\Temp\sososos.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\sososos.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\sososos.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-145-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/316-143-0x0000000005800000-0x0000000005822000-memory.dmp

Filesize
136KB

Download
memory/316-148-0x00000000079D0000-0x0000000007A66000-memory.dmp

Filesize
600KB

Download
memory/316-146-0x0000000007FB0000-0x000000000862A000-memory.dmp

Filesize
6.5MB

Download
memory/316-144-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/316-142-0x0000000005CA0000-0x00000000062C8000-memory.dmp

Filesize
6.2MB

Download
memory/316-141-0x0000000002FD0000-0x0000000003006000-memory.dmp

Filesize
216KB

Download
memory/316-140-0x0000000000000000-mapping.dmp

Download
memory/316-149-0x0000000007930000-0x0000000007952000-memory.dmp

Filesize
136KB

Download
memory/316-147-0x0000000006E70000-0x0000000006E8A000-memory.dmp

Filesize
104KB

Download
memory/1688-139-0x0000000000000000-mapping.dmp

Download
memory/2440-131-0x0000000000000000-mapping.dmp

Download
memory/3216-130-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/4704-137-0x0000000005380000-0x00000000053E6000-memory.dmp

Filesize
408KB

Download
memory/4704-136-0x0000000005260000-0x00000000052FC000-memory.dmp

Filesize
624KB

Download
memory/4704-135-0x0000000004CB0000-0x0000000005254000-memory.dmp

Filesize
5.6MB

Download
memory/4704-133-0x0000000000CB0000-0x0000000000D68000-memory.dmp

Filesize
736KB

Download
memory/4704-134-0x0000000000CB0000-0x0000000000D68000-memory.dmp

Filesize
736KB

Download
memory/4704-132-0x0000000000000000-mapping.dmp

Download
memory/4704-138-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads