40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b

General

Target

40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe
Size

673KB
MD5

f4f631e39cbe07cd2c95f0095b50fb3d
SHA1

b4921da5ae410b94e6c1c5087f0635a001875821
SHA256

40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b
SHA512

a76d6809ab4d798a12a55d260fc74cc2259aea73ae33137fc15c09e2064ffeb644d45115e4bce724110ae480b12bda6ff2643ca6ccc494039560c17adaae38c8

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe

description	pid	process	target process
PID 4068 set thread context of 4284	4068	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4304 powershell.exe
4304 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4304 powershell.exe

pid	process
4304	powershell.exe
4304	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4304	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.execmd.exe

description	pid	process	target process
PID 4068 wrote to memory of 4284	4068	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe
PID 4068 wrote to memory of 4284	4068	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe
PID 4068 wrote to memory of 4284	4068	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe
PID 4068 wrote to memory of 4284	4068	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe
PID 4068 wrote to memory of 4284	4068	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe
PID 4068 wrote to memory of 4284	4068	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe
PID 4068 wrote to memory of 4284	4068	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe
PID 4068 wrote to memory of 4284	4068	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe
PID 4284 wrote to memory of 2268	4284	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe	cmd.exe
PID 4284 wrote to memory of 2268	4284	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe	cmd.exe
PID 4284 wrote to memory of 2268	4284	40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe	cmd.exe
PID 2268 wrote to memory of 4304	2268	cmd.exe	powershell.exe
PID 2268 wrote to memory of 4304	2268	cmd.exe	powershell.exe
PID 2268 wrote to memory of 4304	2268	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe
"C:\Users\Admin\AppData\Local\Temp\40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe
"C:\Users\Admin\AppData\Local\Temp\40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\40396e0b47a75f9c6c49a7b1b0d4b71b4999c1ffbfc6c4053e7d5606de75169b.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/2268-139-0x0000000000000000-mapping.dmp

Download
memory/4068-130-0x0000000000410000-0x00000000004BE000-memory.dmp

Filesize
696KB

Download
memory/4068-131-0x0000000005350000-0x00000000058F4000-memory.dmp

Filesize
5.6MB

Download
memory/4068-132-0x0000000004E80000-0x0000000004F12000-memory.dmp

Filesize
584KB

Download
memory/4068-133-0x0000000005010000-0x000000000501A000-memory.dmp

Filesize
40KB

Download
memory/4068-134-0x0000000007830000-0x00000000078CC000-memory.dmp

Filesize
624KB

Download
memory/4284-135-0x0000000000000000-mapping.dmp

Download
memory/4284-136-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4284-138-0x0000000005290000-0x00000000052F6000-memory.dmp

Filesize
408KB

Download
memory/4304-140-0x0000000000000000-mapping.dmp

Download
memory/4304-141-0x00000000027D0000-0x0000000002806000-memory.dmp

Filesize
216KB

Download
memory/4304-142-0x0000000005270000-0x0000000005898000-memory.dmp

Filesize
6.2MB

Download
memory/4304-143-0x00000000058A0000-0x00000000058C2000-memory.dmp

Filesize
136KB

Download
memory/4304-144-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/4304-145-0x0000000006100000-0x000000000611E000-memory.dmp

Filesize
120KB

Download
memory/4304-147-0x00000000065E0000-0x00000000065FA000-memory.dmp

Filesize
104KB

Download
memory/4304-146-0x0000000007950000-0x0000000007FCA000-memory.dmp

Filesize
6.5MB

Download
memory/4304-149-0x00000000066F0000-0x0000000006712000-memory.dmp

Filesize
136KB

Download
memory/4304-148-0x0000000007370000-0x0000000007406000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing