550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff

General

Target

550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
Size

905KB
MD5

060cbc77c20d140b7ad9f90fd58d45c3
SHA1

f39d0f1ecb50884c69e81b2fd8f66c4b1d5c5cf4
SHA256

550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff
SHA512

525b3beb849c77b132eb77ea1424605b48d5406a5f93a7f10a13b7837e8c7f363ecca7a7b71169114386679a4dc98077a372461dbf43e062c56e116b4f350fe1

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe

description	pid	process	target process
PID 2160 set thread context of 1308	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exepowershell.exe

pid	process
2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
1456	powershell.exe
1456	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
Token: SeDebugPrivilege	1308	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
Token: SeDebugPrivilege	1456	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.execmd.exe

C:\Users\Admin\AppData\Local\Temp\550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
"C:\Users\Admin\AppData\Local\Temp\550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
"{path}"
2⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/1308-184-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-146-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-140-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-186-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-142-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-144-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-136-0x0000000000000000-mapping.dmp

Download
memory/1308-148-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-150-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-152-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-154-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-156-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-158-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-160-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-162-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-164-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-166-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-168-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-182-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-172-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-174-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-176-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-178-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-180-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-170-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-137-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-647-0x00000000051D0000-0x0000000005236000-memory.dmp

Filesize
408KB

Download
memory/1308-188-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-190-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-192-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-194-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-196-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-198-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1308-200-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1456-653-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/1456-650-0x0000000002360000-0x0000000002396000-memory.dmp

Filesize
216KB

Download
memory/1456-651-0x0000000004E30000-0x0000000005458000-memory.dmp

Filesize
6.2MB

Download
memory/1456-649-0x0000000000000000-mapping.dmp

Download
memory/1456-657-0x0000000006ED0000-0x0000000006F66000-memory.dmp

Filesize
600KB

Download
memory/1456-656-0x0000000006140000-0x000000000615A000-memory.dmp

Filesize
104KB

Download
memory/1456-658-0x0000000006210000-0x0000000006232000-memory.dmp

Filesize
136KB

Download
memory/1456-655-0x00000000074B0000-0x0000000007B2A000-memory.dmp

Filesize
6.5MB

Download
memory/1456-654-0x0000000005C60000-0x0000000005C7E000-memory.dmp

Filesize
120KB

Download
memory/1456-652-0x0000000004D90000-0x0000000004DB2000-memory.dmp

Filesize
136KB

Download
memory/1556-135-0x0000000000000000-mapping.dmp

Download
memory/2160-133-0x0000000007450000-0x000000000745A000-memory.dmp

Filesize
40KB

Download
memory/2160-131-0x0000000007990000-0x0000000007F34000-memory.dmp

Filesize
5.6MB

Download
memory/2160-130-0x00000000004E0000-0x00000000005C8000-memory.dmp

Filesize
928KB

Download
memory/2160-134-0x000000000B100000-0x000000000B19C000-memory.dmp

Filesize
624KB

Download
memory/2160-132-0x0000000007480000-0x0000000007512000-memory.dmp

Filesize
584KB

Download
memory/3860-648-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 2160 wrote to memory of 1556	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
PID 2160 wrote to memory of 1556	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
PID 2160 wrote to memory of 1556	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
PID 2160 wrote to memory of 1308	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
PID 2160 wrote to memory of 1308	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
PID 2160 wrote to memory of 1308	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
PID 2160 wrote to memory of 1308	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
PID 2160 wrote to memory of 1308	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
PID 2160 wrote to memory of 1308	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
PID 2160 wrote to memory of 1308	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
PID 2160 wrote to memory of 1308	2160	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe
PID 1308 wrote to memory of 3860	1308	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	cmd.exe
PID 1308 wrote to memory of 3860	1308	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	cmd.exe
PID 1308 wrote to memory of 3860	1308	550615c0ae5984a323c65110142b7730c87cd0b4bdc6ff13052983ba8a6ec7ff.exe	cmd.exe
PID 3860 wrote to memory of 1456	3860	cmd.exe	powershell.exe
PID 3860 wrote to memory of 1456	3860	cmd.exe	powershell.exe
PID 3860 wrote to memory of 1456	3860	cmd.exe	powershell.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads