25153f00d841c6a41619c7c630dde71dcf443205ce1436f1a7aa4ac682de2e5f

General

Target

SCAN_20200805_1524203946573.exe
Size

1.2MB
MD5

94196b70530b597f111cd799149d4baf
SHA1

cf6749d875e1cc451890d96d26ffbc226778bb9f
SHA256

242c20784a19993ce2896684480243fe63d33b065fe9ef74d48b958a91cd4e48
SHA512

6eaba87afb85019268889f04fc0416a66628b22154d85a1ecdc136340fccace9c82b098317b2565f94a8dff9aeaa949fb0762f87c6246de80bf382f610484663

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3904 set thread context of 3856	3904	SCAN_20200805_1524203946573.exe	78

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3904	SCAN_20200805_1524203946573.exe
3904	SCAN_20200805_1524203946573.exe
4668	powershell.exe
4668	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3904	SCAN_20200805_1524203946573.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 3856	3904	SCAN_20200805_1524203946573.exe	78
PID 3904 wrote to memory of 3856	3904	SCAN_20200805_1524203946573.exe	78
PID 3904 wrote to memory of 3856	3904	SCAN_20200805_1524203946573.exe	78
PID 3856 wrote to memory of 1976	3856	SCAN_20200805_1524203946573.exe	79
PID 3856 wrote to memory of 1976	3856	SCAN_20200805_1524203946573.exe	79
PID 3856 wrote to memory of 1976	3856	SCAN_20200805_1524203946573.exe	79
PID 1976 wrote to memory of 4668	1976	cmd.exe	81
PID 1976 wrote to memory of 4668	1976	cmd.exe	81
PID 1976 wrote to memory of 4668	1976	cmd.exe	81

C:\Users\Admin\AppData\Local\Temp\SCAN_20200805_1524203946573.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_20200805_1524203946573.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\SCAN_20200805_1524203946573.exe
  "C:\Users\Admin\AppData\Local\Temp\SCAN_20200805_1524203946573.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\SCAN_20200805_1524203946573.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\SCAN_20200805_1524203946573.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3856-134-0x0000000004D80000-0x0000000005324000-memory.dmp

Filesize
5.6MB

Download
memory/3856-133-0x0000000000CA0000-0x0000000000D64000-memory.dmp

Filesize
784KB

Download
memory/3856-132-0x0000000000CA0000-0x0000000000D64000-memory.dmp

Filesize
784KB

Download
memory/3856-135-0x0000000004C40000-0x0000000004CDC000-memory.dmp

Filesize
624KB

Download
memory/3856-136-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/3856-137-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/3904-130-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4668-141-0x0000000005020000-0x0000000005648000-memory.dmp

Filesize
6.2MB

Download
memory/4668-140-0x0000000002240000-0x0000000002276000-memory.dmp

Filesize
216KB

Download
memory/4668-142-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

Filesize
136KB

Download
memory/4668-143-0x0000000004DF0000-0x0000000004E56000-memory.dmp

Filesize
408KB

Download
memory/4668-144-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/4668-145-0x00000000073D0000-0x0000000007A4A000-memory.dmp

Filesize
6.5MB

Download
memory/4668-146-0x0000000006060000-0x000000000607A000-memory.dmp

Filesize
104KB

Download
memory/4668-147-0x0000000006DF0000-0x0000000006E86000-memory.dmp

Filesize
600KB

Download
memory/4668-148-0x0000000006140000-0x0000000006162000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing