a1be9ca3d1ee2083aefe9b4e93fca9746d38de3d7b3383848375672f768d31ff

General

Target

doc07675720200626101857.exe
Size

930KB
MD5

243a515982e6eba872d6366ec71d63b6
SHA1

85b71070f258dce1b5f92ea4aaa117419f6b8828
SHA256

420da876f8efdf70da0ec0ccd1b7aaa09547b6868d5fc655c05b50eadf20c360
SHA512

cfaf4f25351c10962d143de38df4758d1359224975520bc1345d284ab62254b75e6115c1283b47331b312e0e624329f8c402235cb8682d9007419ad0b89122a4

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

doc07675720200626101857.exe

description pid process target process

PID 1928 set thread context of 4316 1928 doc07675720200626101857.exe doc07675720200626101857.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

doc07675720200626101857.exepowershell.exe

pid process

1928 doc07675720200626101857.exe
1928 doc07675720200626101857.exe
1876 powershell.exe
1876 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

doc07675720200626101857.exe

pid process

1928 doc07675720200626101857.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1876 powershell.exe

description	pid	process	target process
PID 1928 set thread context of 4316	1928	doc07675720200626101857.exe	doc07675720200626101857.exe

pid	process
1928	doc07675720200626101857.exe
1928	doc07675720200626101857.exe
1876	powershell.exe
1876	powershell.exe

pid	process
1928	doc07675720200626101857.exe

description	pid	process
Token: SeDebugPrivilege	1876	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

doc07675720200626101857.exedoc07675720200626101857.execmd.exe

description	pid	process	target process
PID 1928 wrote to memory of 4316	1928	doc07675720200626101857.exe	doc07675720200626101857.exe
PID 1928 wrote to memory of 4316	1928	doc07675720200626101857.exe	doc07675720200626101857.exe
PID 1928 wrote to memory of 4316	1928	doc07675720200626101857.exe	doc07675720200626101857.exe
PID 4316 wrote to memory of 4136	4316	doc07675720200626101857.exe	cmd.exe
PID 4316 wrote to memory of 4136	4316	doc07675720200626101857.exe	cmd.exe
PID 4316 wrote to memory of 4136	4316	doc07675720200626101857.exe	cmd.exe
PID 4136 wrote to memory of 1876	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 1876	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 1876	4136	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\doc07675720200626101857.exe
"C:\Users\Admin\AppData\Local\Temp\doc07675720200626101857.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\doc07675720200626101857.exe
"C:\Users\Admin\AppData\Local\Temp\doc07675720200626101857.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\doc07675720200626101857.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\doc07675720200626101857.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1876-141-0x0000000005B00000-0x0000000006128000-memory.dmp

Filesize
6.2MB

Download
memory/1876-148-0x0000000006EB0000-0x0000000006ED2000-memory.dmp

Filesize
136KB

Download
memory/1876-147-0x0000000007B70000-0x0000000007C06000-memory.dmp

Filesize
600KB

Download
memory/1876-146-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/1876-145-0x0000000007F50000-0x00000000085CA000-memory.dmp

Filesize
6.5MB

Download
memory/1876-144-0x00000000068F0000-0x000000000690E000-memory.dmp

Filesize
120KB

Download
memory/1876-143-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/1876-142-0x0000000005930000-0x0000000005952000-memory.dmp

Filesize
136KB

Download
memory/1876-139-0x0000000000000000-mapping.dmp

Download
memory/1876-140-0x0000000005320000-0x0000000005356000-memory.dmp

Filesize
216KB

Download
memory/1928-130-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4136-138-0x0000000000000000-mapping.dmp

Download
memory/4316-137-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/4316-136-0x0000000005250000-0x00000000052B6000-memory.dmp

Filesize
408KB

Download
memory/4316-135-0x0000000004B80000-0x0000000004C1C000-memory.dmp

Filesize
624KB

Download
memory/4316-134-0x0000000004CA0000-0x0000000005244000-memory.dmp

Filesize
5.6MB

Download
memory/4316-133-0x0000000000C50000-0x0000000000CEA000-memory.dmp

Filesize
616KB

Download
memory/4316-132-0x0000000000C50000-0x0000000000CEA000-memory.dmp

Filesize
616KB

Download
memory/4316-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads