39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d

General

Target

39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe
Size

124KB
MD5

d2e6d34475fcba320609b1eb58884525
SHA1

f5b6fe51750881f14dfe112c3fe6c90afedb7191
SHA256

39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d
SHA512

3c5c61b971b98e7660467d53bb20e063789aadabeb005336b8144b4d87d9a4de08f39ea90ed598246f48494193ea9eb194b17c173e696621592d07244cd66568

Score

1^/10

Malware Config

Signatures

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

4568 net.exe
Runs net.exe

pid	process
4568	net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exesvchost.exe

pid	process
2216	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe
2216	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe
2216	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe
2216	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe
2964	svchost.exe
2964	svchost.exe
2964	svchost.exe
2964	svchost.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

whoami.exe

description	pid	process
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe
Token: SeDebugPrivilege	5088	whoami.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exesvchost.exe

description	pid	process	target process
PID 2216 wrote to memory of 2964	2216	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe	svchost.exe
PID 2216 wrote to memory of 2964	2216	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe	svchost.exe
PID 2216 wrote to memory of 2964	2216	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe	svchost.exe
PID 2216 wrote to memory of 2964	2216	39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe	svchost.exe
PID 2964 wrote to memory of 5088	2964	svchost.exe	whoami.exe
PID 2964 wrote to memory of 5088	2964	svchost.exe	whoami.exe
PID 2964 wrote to memory of 5088	2964	svchost.exe	whoami.exe
PID 2964 wrote to memory of 4568	2964	svchost.exe	net.exe
PID 2964 wrote to memory of 4568	2964	svchost.exe	net.exe
PID 2964 wrote to memory of 4568	2964	svchost.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe
"C:\Users\Admin\AppData\Local\Temp\39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\39c49f6d1d7636698f7b1da3f7528798ed4c72d4ba2fb836abfe36cb26b77a0d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\whoami.exe
    C:\Windows\system32\whoami.exe /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
- - C:\Windows\SysWOW64\net.exe
    C:\Windows\system32\net.exe view
    3⤵
    - Discovers systems in the same network
    PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2216-130-0x0000000000600000-0x0000000000620000-memory.dmp

Filesize
128KB

Download
memory/2216-133-0x00000000017C0000-0x00000000017C6000-memory.dmp

Filesize
24KB

Download
memory/2964-132-0x0000000000000000-mapping.dmp

Download
memory/2964-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2964-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2964-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2964-134-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2964-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2964-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2964-145-0x00000000026F0000-0x00000000026F6000-memory.dmp

Filesize
24KB

Download
memory/4568-146-0x0000000000000000-mapping.dmp

Download
memory/5088-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads