e81b6467fc8bb48bf57171450f37224deb85e34ce780a6ca311ca89c16f9e70a

General

Target

6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe
Size

288KB
MD5

b8b284b3a4e835f5b3785b9ffe794e9d
SHA1

448bb364b3713aa4cad2637eedf008ad4ba1f05c
SHA256

6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501
SHA512

9a111fcc66fed623ffbf743649b5a5ec00d6365d7d2afe0ae32d8bfd66b075d4a4e74b25b4d9ff0e14e8a9ea4c5dc206e24af0002ee9130168b9a8708b84b6ea
SSDEEP

6144:HyPgfiscyrkdbMjgFP9lpYQKe/YC0R2nBtH6KZyxHro6aRtzG:SPgacw5MjmsQdYC0iIK4xHs6aRt6

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe

pid	process
2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe
2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe
2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe
2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe
2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe
2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe
2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe
2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe
2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe
2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe

description pid process

Token: SeDebugPrivilege 2020 6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe

description	pid	process
Token: SeDebugPrivilege	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe

description	pid	process	target process
PID 2020 wrote to memory of 1916	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1916	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1916	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1916	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1252	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1252	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1252	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1252	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1396	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1396	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1396	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1396	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1700	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1700	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1700	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1700	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1696	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1696	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1696	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe
PID 2020 wrote to memory of 1696	2020	6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe
"C:\Users\Admin\AppData\Local\Temp\6c2afb194cebad7f9babba679528aea18b3c7754a9a6e602b91d80353aedd501.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
2⤵
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
2⤵
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
2⤵
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
2⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
2⤵
PID:1696

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-54-0x0000000000180000-0x00000000001CE000-memory.dmp

Filesize
312KB

Download
memory/2020-55-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2020-56-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing