4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97

General

Target

4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe
Size

1.2MB
MD5

3e08508a662892184dde6f0be1c2c8a4
SHA1

73aab66b7bc7ead71999b99c0a3575dcf38fc752
SHA256

4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97
SHA512

c38239f62e500d2b59b583c3a6dfa821206c1501a10d732c1b052c512b3d296e1397328d3f30401e0ac794ab2c65727a85364ce43523a38450ae82725b6cb3e8

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe

description	pid	process	target process
PID 4652 set thread context of 3492	4652	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

316 powershell.exe
316 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 316 powershell.exe

pid	process
316	powershell.exe
316	powershell.exe

description	pid	process
Token: SeDebugPrivilege	316	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.execmd.exe

description	pid	process	target process
PID 4652 wrote to memory of 3492	4652	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe
PID 4652 wrote to memory of 3492	4652	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe
PID 4652 wrote to memory of 3492	4652	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe
PID 4652 wrote to memory of 3492	4652	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe
PID 4652 wrote to memory of 3492	4652	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe
PID 4652 wrote to memory of 3492	4652	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe
PID 4652 wrote to memory of 3492	4652	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe
PID 4652 wrote to memory of 3492	4652	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe
PID 3492 wrote to memory of 1708	3492	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe	cmd.exe
PID 3492 wrote to memory of 1708	3492	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe	cmd.exe
PID 3492 wrote to memory of 1708	3492	4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe	cmd.exe
PID 1708 wrote to memory of 316	1708	cmd.exe	powershell.exe
PID 1708 wrote to memory of 316	1708	cmd.exe	powershell.exe
PID 1708 wrote to memory of 316	1708	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe
"C:\Users\Admin\AppData\Local\Temp\4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4652

C:\Users\Admin\AppData\Local\Temp\4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe
"C:\Users\Admin\AppData\Local\Temp\4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4a2b08708e7619550eefdfa23c06d079abe4277ef159152f2cb1b9aa00ea6f97.exe.log
Filesize
617B

MD5
99e770c0d4043aa84ef3d3cbc7723c25

SHA1
19829c5c413fccba750a3357f938dfa94486acad

SHA256
33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

SHA512
ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

Download Submit
memory/316-142-0x0000000004DF0000-0x0000000004E12000-memory.dmp

Filesize
136KB

Download
memory/316-143-0x0000000004E90000-0x0000000004EF6000-memory.dmp

Filesize
408KB

Download
memory/316-140-0x0000000000B60000-0x0000000000B96000-memory.dmp

Filesize
216KB

Download
memory/316-141-0x0000000005110000-0x0000000005738000-memory.dmp

Filesize
6.2MB

Download
memory/316-139-0x0000000000000000-mapping.dmp

Download
memory/316-147-0x0000000006F00000-0x0000000006F96000-memory.dmp

Filesize
600KB

Download
memory/316-146-0x00000000061B0000-0x00000000061CA000-memory.dmp

Filesize
104KB

Download
memory/316-148-0x0000000006280000-0x00000000062A2000-memory.dmp

Filesize
136KB

Download
memory/316-145-0x00000000072E0000-0x000000000795A000-memory.dmp

Filesize
6.5MB

Download
memory/316-144-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

Filesize
120KB

Download
memory/1708-137-0x0000000000000000-mapping.dmp

Download
memory/3492-136-0x0000000006130000-0x00000000061C2000-memory.dmp

Filesize
584KB

Download
memory/3492-134-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/3492-133-0x0000000000000000-mapping.dmp

Download
memory/3492-135-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/4652-130-0x0000000000020000-0x0000000000158000-memory.dmp

Filesize
1.2MB

Download
memory/4652-131-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

Filesize
624KB

Download
memory/4652-132-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing