df805bf0adbd20c24cf85af5822222cc00e4f8776a6630598add541a1ebfb1c5

General

Target

PO_2020130837727_288377233.exe
Size

974KB
MD5

b8802e4af1f4b8366521b4da418463a1
SHA1

81bd2b52b545f31b4a29c7749cd42db62ac672e4
SHA256

9810f656629ec1a2c0957a8d650b6caf1f9431e91c8a9516744636fbd39d54a8
SHA512

c78acdd6c6b73dbc7436e31b5c769311b2a3d9d43f253b661f9ee61486b8f63f7edefe95ecb638fe090f1f60682bc7efdd72a99e28f8e0946ede5ca7d0b03c5f

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO_2020130837727_288377233.exe

description pid process target process

PID 2688 set thread context of 1528 2688 PO_2020130837727_288377233.exe PO_2020130837727_288377233.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PO_2020130837727_288377233.exepowershell.exe

pid process

2688 PO_2020130837727_288377233.exe
2688 PO_2020130837727_288377233.exe
2688 PO_2020130837727_288377233.exe
3188 powershell.exe
3188 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO_2020130837727_288377233.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2688 PO_2020130837727_288377233.exe
Token: SeDebugPrivilege 3188 powershell.exe

description	pid	process	target process
PID 2688 set thread context of 1528	2688	PO_2020130837727_288377233.exe	PO_2020130837727_288377233.exe

pid	process
2688	PO_2020130837727_288377233.exe
2688	PO_2020130837727_288377233.exe
2688	PO_2020130837727_288377233.exe
3188	powershell.exe
3188	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2688	PO_2020130837727_288377233.exe
Token: SeDebugPrivilege	3188	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PO_2020130837727_288377233.exePO_2020130837727_288377233.execmd.exe

description	pid	process	target process
PID 2688 wrote to memory of 1528	2688	PO_2020130837727_288377233.exe	PO_2020130837727_288377233.exe
PID 2688 wrote to memory of 1528	2688	PO_2020130837727_288377233.exe	PO_2020130837727_288377233.exe
PID 2688 wrote to memory of 1528	2688	PO_2020130837727_288377233.exe	PO_2020130837727_288377233.exe
PID 2688 wrote to memory of 1528	2688	PO_2020130837727_288377233.exe	PO_2020130837727_288377233.exe
PID 2688 wrote to memory of 1528	2688	PO_2020130837727_288377233.exe	PO_2020130837727_288377233.exe
PID 2688 wrote to memory of 1528	2688	PO_2020130837727_288377233.exe	PO_2020130837727_288377233.exe
PID 2688 wrote to memory of 1528	2688	PO_2020130837727_288377233.exe	PO_2020130837727_288377233.exe
PID 2688 wrote to memory of 1528	2688	PO_2020130837727_288377233.exe	PO_2020130837727_288377233.exe
PID 1528 wrote to memory of 4184	1528	PO_2020130837727_288377233.exe	cmd.exe
PID 1528 wrote to memory of 4184	1528	PO_2020130837727_288377233.exe	cmd.exe
PID 1528 wrote to memory of 4184	1528	PO_2020130837727_288377233.exe	cmd.exe
PID 4184 wrote to memory of 3188	4184	cmd.exe	powershell.exe
PID 4184 wrote to memory of 3188	4184	cmd.exe	powershell.exe
PID 4184 wrote to memory of 3188	4184	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\PO_2020130837727_288377233.exe
"C:\Users\Admin\AppData\Local\Temp\PO_2020130837727_288377233.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\PO_2020130837727_288377233.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO_2020130837727_288377233.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO_2020130837727_288377233.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_2020130837727_288377233.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/1528-135-0x0000000000000000-mapping.dmp

Download
memory/1528-136-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1528-138-0x00000000051D0000-0x0000000005236000-memory.dmp

Filesize
408KB

Download
memory/2688-130-0x0000000000290000-0x000000000038A000-memory.dmp

Filesize
1000KB

Download
memory/2688-131-0x0000000005200000-0x00000000057A4000-memory.dmp

Filesize
5.6MB

Download
memory/2688-132-0x0000000004D30000-0x0000000004DC2000-memory.dmp

Filesize
584KB

Download
memory/2688-133-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

Filesize
40KB

Download
memory/2688-134-0x0000000008620000-0x00000000086BC000-memory.dmp

Filesize
624KB

Download
memory/3188-140-0x0000000000000000-mapping.dmp

Download
memory/3188-141-0x0000000005250000-0x0000000005286000-memory.dmp

Filesize
216KB

Download
memory/3188-142-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download
memory/3188-143-0x0000000005F90000-0x0000000005FB2000-memory.dmp

Filesize
136KB

Download
memory/3188-144-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/3188-145-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/3188-146-0x00000000080A0000-0x000000000871A000-memory.dmp

Filesize
6.5MB

Download
memory/3188-147-0x0000000006C90000-0x0000000006CAA000-memory.dmp

Filesize
104KB

Download
memory/3188-148-0x0000000007AC0000-0x0000000007B56000-memory.dmp

Filesize
600KB

Download
memory/3188-149-0x0000000005570000-0x0000000005592000-memory.dmp

Filesize
136KB

Download
memory/4184-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads