41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba

General

Target

41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
Size

593KB
MD5

f69bfb20f3c859cec0110a1750d91831
SHA1

6d4178609cc7f0ed126a4ae9eb5eabd37e19e797
SHA256

41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba
SHA512

3fdf3ad477e8258a7ff00c7247c21f9f32b80166988467f3554f7ef6b5d1db05c773e7ed49e32ceae27604fe739ad778b705a2529cf865e1e4ac981799a91fbe
SSDEEP

12288:0nsis+D11R/5P/+/SJ+tZkS9PpbFBXBYbE/M1keD11ioQqLoEhCl85:mPlJukiFZ6bR1TLLUS

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe

pid	process
828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe

description pid process

Token: SeDebugPrivilege 828 41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe

description	pid	process
Token: SeDebugPrivilege	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe

C:\Users\Admin\AppData\Local\Temp\41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
"C:\Users\Admin\AppData\Local\Temp\41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Local\Temp\41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
"C:\Users\Admin\AppData\Local\Temp\41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe"
2⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
"C:\Users\Admin\AppData\Local\Temp\41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe"
2⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
"C:\Users\Admin\AppData\Local\Temp\41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe"
2⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
"C:\Users\Admin\AppData\Local\Temp\41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe"
2⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
"C:\Users\Admin\AppData\Local\Temp\41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe"
2⤵
PID:1612

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/828-54-0x00000000003F0000-0x000000000048A000-memory.dmp

Filesize
616KB

Download
memory/828-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/828-56-0x00000000004E0000-0x00000000004FA000-memory.dmp

Filesize
104KB

Download
memory/828-57-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/828-58-0x00000000053A0000-0x000000000541A000-memory.dmp

Filesize
488KB

Download
memory/828-59-0x0000000001FC0000-0x0000000001FF4000-memory.dmp

Filesize
208KB

Download

description	pid	process	target process
PID 828 wrote to memory of 1620	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1620	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1620	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1620	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1568	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1568	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1568	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1568	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1672	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1672	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1672	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1672	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1552	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1552	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1552	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1552	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1612	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1612	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1612	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe
PID 828 wrote to memory of 1612	828	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe	41ad6f7b326ac4b5372ed790426911500da78c2bb3ff9ed98cd41d2515155cba.exe

Analysis

Sharing