4313df6bee4e6025934ff76ed2f7c8924b85f71b029060eede7f66d4b96eb027

Analysis

max time kernel
47s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FRtsWDxBpc96ZPs.exe
Size

510KB
MD5

6fa5d1729bcb93c460bd3bb3ebf53eb4
SHA1

f6c9df5e9c8a6d19224967b85d87b54287563a9b
SHA256

05568298144f10100f3882592a8be0a1754c579f581a3db6316d014c7f8ca8f3
SHA512

1feb1e7d85aa0ae173f510b32b7d5ff1f2cc37b4d23888d6a8f9930f50d8953c11cd4cc363f09dd4393805ef917251ee2ccf28c52a236209207739ba06d91057

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

FRtsWDxBpc96ZPs.exe

pid	process
1632	FRtsWDxBpc96ZPs.exe
1632	FRtsWDxBpc96ZPs.exe
1632	FRtsWDxBpc96ZPs.exe
1632	FRtsWDxBpc96ZPs.exe
1632	FRtsWDxBpc96ZPs.exe
1632	FRtsWDxBpc96ZPs.exe
1632	FRtsWDxBpc96ZPs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FRtsWDxBpc96ZPs.exe

description pid process

Token: SeDebugPrivilege 1632 FRtsWDxBpc96ZPs.exe

description	pid	process
Token: SeDebugPrivilege	1632	FRtsWDxBpc96ZPs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

FRtsWDxBpc96ZPs.exe

description	pid	process	target process
PID 1632 wrote to memory of 1192	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1192	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1192	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1192	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1116	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1116	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1116	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1116	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1324	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1324	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1324	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1324	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1320	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1320	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1320	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 1320	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 2004	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 2004	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 2004	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe
PID 1632 wrote to memory of 2004	1632	FRtsWDxBpc96ZPs.exe	FRtsWDxBpc96ZPs.exe

C:\Users\Admin\AppData\Local\Temp\FRtsWDxBpc96ZPs.exe
"C:\Users\Admin\AppData\Local\Temp\FRtsWDxBpc96ZPs.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\FRtsWDxBpc96ZPs.exe
"{path}"
2⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\FRtsWDxBpc96ZPs.exe
"{path}"
2⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\FRtsWDxBpc96ZPs.exe
"{path}"
2⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\FRtsWDxBpc96ZPs.exe
"{path}"
2⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\FRtsWDxBpc96ZPs.exe
"{path}"
2⤵
PID:2004

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-54-0x0000000075361000-0x0000000075363000-memory.dmp

Filesize
8KB

Download
memory/1632-55-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads