a238d109702667b33c62c8edcb134453d2ad51307ff3235f848c350be7168cc3

General

Target

369273 gz.exe
Size

1.5MB
MD5

9a4eec30210edbe451087ea5947180bc
SHA1

86e4fedbad4678edd2e999764c6d487858793f2e
SHA256

4882ceb8e3f4b34b1446518b39b4d878f59c3ef27124e38aefd67faa9200e127
SHA512

fe912bd8e7ef8d7bc7aac7803594a78c35a097ab9f30338fd5dd8d1439d82306c0e09029c5d25ef451142be6eaa206671f83172bcd85b2a349a98a7ac4672904

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

369273 gz.exe

description pid process target process

PID 4456 set thread context of 5068 4456 369273 gz.exe 369273 gz.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

369273 gz.exepowershell.exe

pid process

4456 369273 gz.exe
4456 369273 gz.exe
4456 369273 gz.exe
2044 powershell.exe
2044 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

369273 gz.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4456 369273 gz.exe
Token: SeDebugPrivilege 2044 powershell.exe

description	pid	process	target process
PID 4456 set thread context of 5068	4456	369273 gz.exe	369273 gz.exe

pid	process
4456	369273 gz.exe
4456	369273 gz.exe
4456	369273 gz.exe
2044	powershell.exe
2044	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4456	369273 gz.exe
Token: SeDebugPrivilege	2044	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

369273 gz.exe369273 gz.execmd.exe

description	pid	process	target process
PID 4456 wrote to memory of 5068	4456	369273 gz.exe	369273 gz.exe
PID 4456 wrote to memory of 5068	4456	369273 gz.exe	369273 gz.exe
PID 4456 wrote to memory of 5068	4456	369273 gz.exe	369273 gz.exe
PID 4456 wrote to memory of 5068	4456	369273 gz.exe	369273 gz.exe
PID 4456 wrote to memory of 5068	4456	369273 gz.exe	369273 gz.exe
PID 4456 wrote to memory of 5068	4456	369273 gz.exe	369273 gz.exe
PID 4456 wrote to memory of 5068	4456	369273 gz.exe	369273 gz.exe
PID 4456 wrote to memory of 5068	4456	369273 gz.exe	369273 gz.exe
PID 5068 wrote to memory of 224	5068	369273 gz.exe	cmd.exe
PID 5068 wrote to memory of 224	5068	369273 gz.exe	cmd.exe
PID 5068 wrote to memory of 224	5068	369273 gz.exe	cmd.exe
PID 224 wrote to memory of 2044	224	cmd.exe	powershell.exe
PID 224 wrote to memory of 2044	224	cmd.exe	powershell.exe
PID 224 wrote to memory of 2044	224	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\369273 gz.exe
"C:\Users\Admin\AppData\Local\Temp\369273 gz.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\369273 gz.exe
  "C:\Users\Admin\AppData\Local\Temp\369273 gz.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\369273 gz.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\369273 gz.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\369273 gz.exe.log

Filesize
1KB

MD5
fc13935f3038bdde6cb484249fbff668

SHA1
a4c32013e6d59bf1eb1a5119456965de191e62b8

SHA256
de064c569a5f4edaf2da91d7bcb82bab06a35190b699cede1da0aa616a23d676

SHA512
5817275af0f8a48eb1e008d39f62fb3582db9a2d21a806e9f9ee36fbfd799fb17e91f0e3686f4b236724fe78f14ae7f40cd3755f0ec0fb6734ce42f996b798f7

Download Submit
memory/224-138-0x0000000000000000-mapping.dmp

Download
memory/2044-145-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/2044-142-0x0000000005890000-0x0000000005EB8000-memory.dmp

Filesize
6.2MB

Download
memory/2044-149-0x00000000078F0000-0x0000000007912000-memory.dmp

Filesize
136KB

Download
memory/2044-148-0x0000000007990000-0x0000000007A26000-memory.dmp

Filesize
600KB

Download
memory/2044-147-0x0000000006BE0000-0x0000000006BFA000-memory.dmp

Filesize
104KB

Download
memory/2044-146-0x0000000007F70000-0x00000000085EA000-memory.dmp

Filesize
6.5MB

Download
memory/2044-144-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/2044-143-0x0000000005860000-0x0000000005882000-memory.dmp

Filesize
136KB

Download
memory/2044-140-0x0000000000000000-mapping.dmp

Download
memory/2044-141-0x0000000002E20000-0x0000000002E56000-memory.dmp

Filesize
216KB

Download
memory/4456-130-0x0000000000EB0000-0x0000000001038000-memory.dmp

Filesize
1.5MB

Download
memory/4456-131-0x00000000066C0000-0x0000000006C64000-memory.dmp

Filesize
5.6MB

Download
memory/4456-132-0x00000000061F0000-0x0000000006282000-memory.dmp

Filesize
584KB

Download
memory/5068-133-0x0000000000000000-mapping.dmp

Download
memory/5068-137-0x0000000005030000-0x0000000005096000-memory.dmp

Filesize
408KB

Download
memory/5068-136-0x0000000004F10000-0x0000000004FAC000-memory.dmp

Filesize
624KB

Download
memory/5068-135-0x0000000000900000-0x00000000009C4000-memory.dmp

Filesize
784KB

Download
memory/5068-134-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads