4ab8c891c52a98f6583d66fc0e0021d29d3a21bbdaa7177a03aecb4eef4073e7

General

Target

New_PO_2020805.exe
Size

1.1MB
MD5

42a20dafbe6049da3465b4f0b982c414
SHA1

e8d4fcd65e005561ce5c699376ad7667d0c0a1b9
SHA256

6d2a566cdadb7d1397ba4cc96cf0ad361358a717523f547c30af8c92b88b712b
SHA512

b0831bbba1be93c33a67f36e841e5ff1b8c6d84de8cb9ebc3a20e6f5a8f58339deef4d10dc37d10b4a281be9633382c086dfb7ea16d2228fe628a172a4f642b9

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

New_PO_2020805.exe

description pid process target process

PID 3048 set thread context of 4380 3048 New_PO_2020805.exe New_PO_2020805.exe

description	pid	process	target process
PID 3048 set thread context of 4380	3048	New_PO_2020805.exe	New_PO_2020805.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

New_PO_2020805.exeNew_PO_2020805.exepowershell.exe

pid	process
3048	New_PO_2020805.exe
3048	New_PO_2020805.exe
3048	New_PO_2020805.exe
3048	New_PO_2020805.exe
3048	New_PO_2020805.exe
3048	New_PO_2020805.exe
3048	New_PO_2020805.exe
4380	New_PO_2020805.exe
4380	New_PO_2020805.exe
2132	powershell.exe
2132	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

New_PO_2020805.exeNew_PO_2020805.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3048	New_PO_2020805.exe
Token: SeDebugPrivilege	4380	New_PO_2020805.exe
Token: SeDebugPrivilege	2132	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

New_PO_2020805.exeNew_PO_2020805.execmd.exe

description	pid	process	target process
PID 3048 wrote to memory of 4380	3048	New_PO_2020805.exe	New_PO_2020805.exe
PID 3048 wrote to memory of 4380	3048	New_PO_2020805.exe	New_PO_2020805.exe
PID 3048 wrote to memory of 4380	3048	New_PO_2020805.exe	New_PO_2020805.exe
PID 3048 wrote to memory of 4380	3048	New_PO_2020805.exe	New_PO_2020805.exe
PID 3048 wrote to memory of 4380	3048	New_PO_2020805.exe	New_PO_2020805.exe
PID 3048 wrote to memory of 4380	3048	New_PO_2020805.exe	New_PO_2020805.exe
PID 3048 wrote to memory of 4380	3048	New_PO_2020805.exe	New_PO_2020805.exe
PID 3048 wrote to memory of 4380	3048	New_PO_2020805.exe	New_PO_2020805.exe
PID 4380 wrote to memory of 3148	4380	New_PO_2020805.exe	cmd.exe
PID 4380 wrote to memory of 3148	4380	New_PO_2020805.exe	cmd.exe
PID 4380 wrote to memory of 3148	4380	New_PO_2020805.exe	cmd.exe
PID 3148 wrote to memory of 2132	3148	cmd.exe	powershell.exe
PID 3148 wrote to memory of 2132	3148	cmd.exe	powershell.exe
PID 3148 wrote to memory of 2132	3148	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\New_PO_2020805.exe
"C:\Users\Admin\AppData\Local\Temp\New_PO_2020805.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\New_PO_2020805.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\New_PO_2020805.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\New_PO_2020805.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New_PO_2020805.exe.log
Filesize
412B

MD5
ad1c7f6525cfeb54c0487efd38b0e26c

SHA1
ed3da94723ac7e3828a9e93d68418bb810592f3b

SHA256
0a534a3d0fa82e6a427164c5f6e702cac7e4afc9967af9bc5ddba4f84ab33276

SHA512
48d625e6be5391d91d95c2850226fe39bb2411cb72139797699cfe126e6b066182e83950a8ea67e63b64a66b0d45f58d8bc97cab0363d55c2fd88c0d1d28009c

Download Submit
memory/2132-146-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

Filesize
104KB

Download
memory/2132-148-0x0000000006EE0000-0x0000000006F02000-memory.dmp

Filesize
136KB

Download
memory/2132-147-0x0000000007B60000-0x0000000007BF6000-memory.dmp

Filesize
600KB

Download
memory/2132-144-0x0000000006900000-0x000000000691E000-memory.dmp

Filesize
120KB

Download
memory/2132-145-0x0000000008140000-0x00000000087BA000-memory.dmp

Filesize
6.5MB

Download
memory/2132-139-0x0000000000000000-mapping.dmp

Download
memory/2132-140-0x0000000002FD0000-0x0000000003006000-memory.dmp

Filesize
216KB

Download
memory/2132-141-0x0000000005C00000-0x0000000006228000-memory.dmp

Filesize
6.2MB

Download
memory/2132-142-0x0000000005960000-0x0000000005982000-memory.dmp

Filesize
136KB

Download
memory/2132-143-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/3048-132-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/3048-131-0x0000000005620000-0x00000000056BC000-memory.dmp

Filesize
624KB

Download
memory/3048-130-0x0000000000800000-0x0000000000912000-memory.dmp

Filesize
1.1MB

Download
memory/3148-138-0x0000000000000000-mapping.dmp

Download
memory/4380-137-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/4380-136-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/4380-134-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4380-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads