3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433

Analysis

max time kernel
127s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
Size

1.4MB
MD5

821769527b184bdc553c49a114feae97
SHA1

7363adbd9290aaf84ebbf2dd1a5c0f1b13a01e7c
SHA256

3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433
SHA512

d660960cca6102686618554197cb9b1f50657f5acff35dbc2fe42a0f05f787ca46d6c1dd27ed158b612d241da54c442c692c0fa39901fd921753fc47b943b992

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 540	1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	87

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
1116	powershell.exe
1116	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
Token: SeDebugPrivilege	540	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
Token: SeDebugPrivilege	1116	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 540	1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	87
PID 1196 wrote to memory of 540	1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	87
PID 1196 wrote to memory of 540	1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	87
PID 1196 wrote to memory of 540	1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	87
PID 1196 wrote to memory of 540	1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	87
PID 1196 wrote to memory of 540	1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	87
PID 1196 wrote to memory of 540	1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	87
PID 1196 wrote to memory of 540	1196	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	87
PID 540 wrote to memory of 1624	540	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	89
PID 540 wrote to memory of 1624	540	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	89
PID 540 wrote to memory of 1624	540	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	89
PID 1624 wrote to memory of 1116	1624	cmd.exe	91
PID 1624 wrote to memory of 1116	1624	cmd.exe	91
PID 1624 wrote to memory of 1116	1624	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
"C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
  "C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe.log

Filesize
1KB

MD5
71046d1530f298c0f55f880d0f30ea44

SHA1
b33ec4723e78d04d7f3cd34a372a7be90f17cc41

SHA256
cbaf7ccaf1640247cbcdd0190057e10bde45902d35ab2b88565af421faca34a7

SHA512
dceeeba0317ad00b20ddbc50887c7966278b4a2d8aafa42fd74c9c2c1528178e7c4164cb7fcd03552958088f2b34b38a834acf0ac97eb34273bc50135b8bb27d

Download Submit
memory/540-181-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-141-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-179-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-139-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-177-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-143-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-145-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-147-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-149-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-151-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-153-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-155-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-159-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-165-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-173-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-175-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-187-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-185-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-195-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-197-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-193-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-191-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-189-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-137-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-135-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-183-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-171-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-169-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-167-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-163-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-161-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-157-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/540-644-0x0000000005150000-0x00000000051EC000-memory.dmp

Filesize
624KB

Download
memory/540-645-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/1116-653-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/1116-657-0x00000000077C0000-0x00000000077E2000-memory.dmp

Filesize
136KB

Download
memory/1116-650-0x00000000059B0000-0x0000000005FD8000-memory.dmp

Filesize
6.2MB

Download
memory/1116-656-0x0000000007860000-0x00000000078F6000-memory.dmp

Filesize
600KB

Download
memory/1116-655-0x0000000006CF0000-0x0000000006D0A000-memory.dmp

Filesize
104KB

Download
memory/1116-654-0x0000000007E40000-0x00000000084BA000-memory.dmp

Filesize
6.5MB

Download
memory/1116-652-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/1116-649-0x0000000005230000-0x0000000005266000-memory.dmp

Filesize
216KB

Download
memory/1116-651-0x0000000005850000-0x0000000005872000-memory.dmp

Filesize
136KB

Download
memory/1196-133-0x00000000071B0000-0x00000000071F4000-memory.dmp

Filesize
272KB

Download
memory/1196-131-0x0000000006300000-0x00000000068A4000-memory.dmp

Filesize
5.6MB

Download
memory/1196-130-0x0000000000A10000-0x0000000000B78000-memory.dmp

Filesize
1.4MB

Download
memory/1196-132-0x0000000005E40000-0x0000000005ED2000-memory.dmp

Filesize
584KB

Download