2a1433e205534494d75ae6b053fd6bbdbf46fa96513066ad1d871cf6ff2c65dc

General

Target

Augustus Inkooporder .pdf______________________________________________________________________________.exe
Size

1.6MB
MD5

48add9a8b2803bf24c560f44f5a1a5fa
SHA1

647c195a8d861d696d1b1d3515b4b69138304ed3
SHA256

d4557d36508f2a62bbb7e58cc6b8a5d1f9588810485b04adf4cc100ee925687a
SHA512

ba6c9e253a3873df9119459a82cab1d90f4305a0c28a1e5e5d3facd501be497230faf23fb1a0167b1a5b27c322db3d987dd40cd2c1268c789e6177bf5f17e251

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

Augustus Inkooporder .pdf______________________________________________________________________________.exe

pid process

388 Augustus Inkooporder .pdf______________________________________________________________________________.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Augustus Inkooporder .pdf______________________________________________________________________________.exe

description	pid	process	target process
PID 388 set thread context of 3968	388	Augustus Inkooporder .pdf______________________________________________________________________________.exe	Augustus Inkooporder .pdf______________________________________________________________________________.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Augustus Inkooporder .pdf______________________________________________________________________________.exeAugustus Inkooporder .pdf______________________________________________________________________________.exepowershell.exe

pid	process
388	Augustus Inkooporder .pdf______________________________________________________________________________.exe
388	Augustus Inkooporder .pdf______________________________________________________________________________.exe
388	Augustus Inkooporder .pdf______________________________________________________________________________.exe
3968	Augustus Inkooporder .pdf______________________________________________________________________________.exe
3968	Augustus Inkooporder .pdf______________________________________________________________________________.exe
1004	powershell.exe
1004	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Augustus Inkooporder .pdf______________________________________________________________________________.exeAugustus Inkooporder .pdf______________________________________________________________________________.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	388	Augustus Inkooporder .pdf______________________________________________________________________________.exe
Token: SeDebugPrivilege	3968	Augustus Inkooporder .pdf______________________________________________________________________________.exe
Token: SeDebugPrivilege	1004	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Augustus Inkooporder .pdf______________________________________________________________________________.exeAugustus Inkooporder .pdf______________________________________________________________________________.execmd.exe

description	pid	process	target process
PID 388 wrote to memory of 3968	388	Augustus Inkooporder .pdf______________________________________________________________________________.exe	Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968	388	Augustus Inkooporder .pdf______________________________________________________________________________.exe	Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968	388	Augustus Inkooporder .pdf______________________________________________________________________________.exe	Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968	388	Augustus Inkooporder .pdf______________________________________________________________________________.exe	Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968	388	Augustus Inkooporder .pdf______________________________________________________________________________.exe	Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968	388	Augustus Inkooporder .pdf______________________________________________________________________________.exe	Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968	388	Augustus Inkooporder .pdf______________________________________________________________________________.exe	Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968	388	Augustus Inkooporder .pdf______________________________________________________________________________.exe	Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 3968 wrote to memory of 4212	3968	Augustus Inkooporder .pdf______________________________________________________________________________.exe	cmd.exe
PID 3968 wrote to memory of 4212	3968	Augustus Inkooporder .pdf______________________________________________________________________________.exe	cmd.exe
PID 3968 wrote to memory of 4212	3968	Augustus Inkooporder .pdf______________________________________________________________________________.exe	cmd.exe
PID 4212 wrote to memory of 1004	4212	cmd.exe	powershell.exe
PID 4212 wrote to memory of 1004	4212	cmd.exe	powershell.exe
PID 4212 wrote to memory of 1004	4212	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
"C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
"C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Augustus Inkooporder .pdf______________________________________________________________________________.exe.log
Filesize
1KB

MD5
fc13935f3038bdde6cb484249fbff668

SHA1
a4c32013e6d59bf1eb1a5119456965de191e62b8

SHA256
de064c569a5f4edaf2da91d7bcb82bab06a35190b699cede1da0aa616a23d676

SHA512
5817275af0f8a48eb1e008d39f62fb3582db9a2d21a806e9f9ee36fbfd799fb17e91f0e3686f4b236724fe78f14ae7f40cd3755f0ec0fb6734ce42f996b798f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c08e67e7-d17e-42f4-84a8-059771d01a58\AgileDotNetRT.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/388-132-0x0000000073B20000-0x0000000073BA9000-memory.dmp

Filesize
548KB

Download
memory/388-133-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/388-134-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/388-130-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1004-146-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/1004-147-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/1004-151-0x0000000006A00000-0x0000000006A22000-memory.dmp

Filesize
136KB

Download
memory/1004-150-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/1004-149-0x0000000006940000-0x000000000695A000-memory.dmp

Filesize
104KB

Download
memory/1004-142-0x0000000000000000-mapping.dmp

Download
memory/1004-143-0x0000000004CF0000-0x0000000004D26000-memory.dmp

Filesize
216KB

Download
memory/1004-144-0x0000000005360000-0x0000000005988000-memory.dmp

Filesize
6.2MB

Download
memory/1004-145-0x00000000052E0000-0x0000000005302000-memory.dmp

Filesize
136KB

Download
memory/1004-148-0x0000000007CE0000-0x000000000835A000-memory.dmp

Filesize
6.5MB

Download
memory/3968-138-0x0000000004BC0000-0x0000000004C5C000-memory.dmp

Filesize
624KB

Download
memory/3968-135-0x0000000000000000-mapping.dmp

Download
memory/3968-137-0x0000000000630000-0x00000000006E8000-memory.dmp

Filesize
736KB

Download
memory/3968-139-0x0000000004D50000-0x0000000004DB6000-memory.dmp

Filesize
408KB

Download
memory/4212-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads