39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d

General

Target

39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe
Size

124KB
MD5

d2e6d34475fcba320609b1eb58884525
SHA1

f5b6fe51750881f14dfe112c3fe6c90afedb7191
SHA256

39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d
SHA512

3c5c61b971b98e7660467d53bb20e063789aadabeb005336b8144b4d87d9a4de08f39ea90ed598246f48494193ea9eb194b17c173e696621592d07244cd66568

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1604 svchost.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1644 net.exe
Runs net.exe

pid	process
1604	svchost.exe

pid	process
1644	net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exesvchost.exe

pid	process
1360	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe
1360	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe
1604	svchost.exe
1604	svchost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

whoami.exe

description	pid	process
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe
Token: SeDebugPrivilege	1020	whoami.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exesvchost.exe

description	pid	process	target process
PID 1360 wrote to memory of 1604	1360	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe	svchost.exe
PID 1360 wrote to memory of 1604	1360	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe	svchost.exe
PID 1360 wrote to memory of 1604	1360	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe	svchost.exe
PID 1360 wrote to memory of 1604	1360	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe	svchost.exe
PID 1360 wrote to memory of 1604	1360	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe	svchost.exe
PID 1604 wrote to memory of 1020	1604	svchost.exe	whoami.exe
PID 1604 wrote to memory of 1020	1604	svchost.exe	whoami.exe
PID 1604 wrote to memory of 1020	1604	svchost.exe	whoami.exe
PID 1604 wrote to memory of 1020	1604	svchost.exe	whoami.exe
PID 1604 wrote to memory of 1644	1604	svchost.exe	net.exe
PID 1604 wrote to memory of 1644	1604	svchost.exe	net.exe
PID 1604 wrote to memory of 1644	1604	svchost.exe	net.exe
PID 1604 wrote to memory of 1644	1604	svchost.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe
"C:\Users\Admin\AppData\Local\Temp\39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe"
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\whoami.exe
    C:\Windows\system32\whoami.exe /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- - C:\Windows\SysWOW64\net.exe
    C:\Windows\system32\net.exe view
    3⤵
    - Discovers systems in the same network
    PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-71-0x0000000000000000-mapping.dmp

Download
memory/1360-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1360-55-0x00000000009F0000-0x0000000000A10000-memory.dmp

Filesize
128KB

Download
memory/1360-58-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1604-65-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/1604-64-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/1604-62-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/1604-63-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/1604-61-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/1604-60-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/1604-70-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/1604-57-0x0000000000000000-mapping.dmp

Download
memory/1644-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads