06d8b2fecf78c785a15181b34a74859e87fcec54dd231b13ea9fe79983ba9a95

General

Target

odeme.xl200.exe
Size

515KB
MD5

e57f53e16f57d9d28cb7c00e3e0c51f3
SHA1

abcd5179dd64504a12d4a854cde93826882e9b43
SHA256

06d8b2fecf78c785a15181b34a74859e87fcec54dd231b13ea9fe79983ba9a95
SHA512

f36b8425f5231d7e8bcc07617ab17bde7db27abcfb49a69e5238b1070b847d0f1acd70fcfd7b793ed80f6751481576e3c33ab3b1e5fadb387634e267b42b79b0

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

odeme.xl200.exe

pid	process
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe
1760	odeme.xl200.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

odeme.xl200.exe

description pid process

Token: SeDebugPrivilege 1760 odeme.xl200.exe

description	pid	process
Token: SeDebugPrivilege	1760	odeme.xl200.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

odeme.xl200.exe

description	pid	process	target process
PID 1760 wrote to memory of 1936	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1936	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1936	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1936	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 652	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 652	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 652	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 652	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 736	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 736	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 736	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 736	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1004	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1004	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1004	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1004	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 2008	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 2008	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 2008	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 2008	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1348	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1348	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1348	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1348	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1208	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1208	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1208	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1208	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1704	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1704	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1704	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 1704	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 2040	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 2040	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 2040	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 2040	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 840	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 840	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 840	1760	odeme.xl200.exe	odeme.xl200.exe
PID 1760 wrote to memory of 840	1760	odeme.xl200.exe	odeme.xl200.exe

C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
"C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
2⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
2⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
2⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
2⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
2⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
2⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
2⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
2⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
2⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe
2⤵
PID:840

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1760-54-0x00000000003A0000-0x0000000000426000-memory.dmp

Filesize
536KB

Download
memory/1760-55-0x0000000004810000-0x00000000048B6000-memory.dmp

Filesize
664KB

Download
memory/1760-56-0x0000000000430000-0x000000000047C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads