25153f00d841c6a41619c7c630dde71dcf443205ce1436f1a7aa4ac682de2e5f

General

Target

SCAN_20200805_1524203946573.exe
Size

1.2MB
MD5

94196b70530b597f111cd799149d4baf
SHA1

cf6749d875e1cc451890d96d26ffbc226778bb9f
SHA256

242c20784a19993ce2896684480243fe63d33b065fe9ef74d48b958a91cd4e48
SHA512

6eaba87afb85019268889f04fc0416a66628b22154d85a1ecdc136340fccace9c82b098317b2565f94a8dff9aeaa949fb0762f87c6246de80bf382f610484663

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

SCAN_20200805_1524203946573.exe

description pid process target process

PID 3904 set thread context of 3856 3904 SCAN_20200805_1524203946573.exe SCAN_20200805_1524203946573.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SCAN_20200805_1524203946573.exepowershell.exe

pid process

3904 SCAN_20200805_1524203946573.exe
3904 SCAN_20200805_1524203946573.exe
4668 powershell.exe
4668 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

SCAN_20200805_1524203946573.exe

pid process

3904 SCAN_20200805_1524203946573.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4668 powershell.exe

description	pid	process	target process
PID 3904 set thread context of 3856	3904	SCAN_20200805_1524203946573.exe	SCAN_20200805_1524203946573.exe

pid	process
3904	SCAN_20200805_1524203946573.exe
3904	SCAN_20200805_1524203946573.exe
4668	powershell.exe
4668	powershell.exe

pid	process
3904	SCAN_20200805_1524203946573.exe

description	pid	process
Token: SeDebugPrivilege	4668	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

SCAN_20200805_1524203946573.exeSCAN_20200805_1524203946573.execmd.exe

description	pid	process	target process
PID 3904 wrote to memory of 3856	3904	SCAN_20200805_1524203946573.exe	SCAN_20200805_1524203946573.exe
PID 3904 wrote to memory of 3856	3904	SCAN_20200805_1524203946573.exe	SCAN_20200805_1524203946573.exe
PID 3904 wrote to memory of 3856	3904	SCAN_20200805_1524203946573.exe	SCAN_20200805_1524203946573.exe
PID 3856 wrote to memory of 1976	3856	SCAN_20200805_1524203946573.exe	cmd.exe
PID 3856 wrote to memory of 1976	3856	SCAN_20200805_1524203946573.exe	cmd.exe
PID 3856 wrote to memory of 1976	3856	SCAN_20200805_1524203946573.exe	cmd.exe
PID 1976 wrote to memory of 4668	1976	cmd.exe	powershell.exe
PID 1976 wrote to memory of 4668	1976	cmd.exe	powershell.exe
PID 1976 wrote to memory of 4668	1976	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\SCAN_20200805_1524203946573.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_20200805_1524203946573.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\SCAN_20200805_1524203946573.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_20200805_1524203946573.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\SCAN_20200805_1524203946573.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\SCAN_20200805_1524203946573.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1976-138-0x0000000000000000-mapping.dmp

Download
memory/3856-134-0x0000000004D80000-0x0000000005324000-memory.dmp

Filesize
5.6MB

Download
memory/3856-132-0x0000000000CA0000-0x0000000000D64000-memory.dmp

Filesize
784KB

Download
memory/3856-133-0x0000000000CA0000-0x0000000000D64000-memory.dmp

Filesize
784KB

Download
memory/3856-131-0x0000000000000000-mapping.dmp

Download
memory/3856-135-0x0000000004C40000-0x0000000004CDC000-memory.dmp

Filesize
624KB

Download
memory/3856-136-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/3856-137-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/3904-130-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4668-141-0x0000000005020000-0x0000000005648000-memory.dmp

Filesize
6.2MB

Download
memory/4668-148-0x0000000006140000-0x0000000006162000-memory.dmp

Filesize
136KB

Download
memory/4668-140-0x0000000002240000-0x0000000002276000-memory.dmp

Filesize
216KB

Download
memory/4668-142-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

Filesize
136KB

Download
memory/4668-143-0x0000000004DF0000-0x0000000004E56000-memory.dmp

Filesize
408KB

Download
memory/4668-144-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/4668-145-0x00000000073D0000-0x0000000007A4A000-memory.dmp

Filesize
6.5MB

Download
memory/4668-146-0x0000000006060000-0x000000000607A000-memory.dmp

Filesize
104KB

Download
memory/4668-147-0x0000000006DF0000-0x0000000006E86000-memory.dmp

Filesize
600KB

Download
memory/4668-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads