cc4b7048ba8398fff2c33a09475d0070458ab71a323278b9756beb8f08651dc7

General

Target

cc4b7048ba8398fff2c33a09475d0070458ab71a323278b9756beb8f08651dc7.exe
Size

721KB
MD5

9533975b94645763e1080c8fb05f8089
SHA1

d7422e32f067b200bfc9fe270218c3798bef2f8a
SHA256

cc4b7048ba8398fff2c33a09475d0070458ab71a323278b9756beb8f08651dc7
SHA512

8f903313c0056f09bd2f9953897cf17f64156cda026115df9804e5958ab783982712a6ce37aa4faa69c929044e5170f0b1df5645d4a8cd54a74327ed8e16cf97
SSDEEP

768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1740	powershell.exe
1740	powershell.exe
388	powershell.exe
388	powershell.exe
1748	powershell.exe
1748	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	cc4b7048ba8398fff2c33a09475d0070458ab71a323278b9756beb8f08651dc7.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 4844	868	cc4b7048ba8398fff2c33a09475d0070458ab71a323278b9756beb8f08651dc7.exe	80
PID 868 wrote to memory of 4844	868	cc4b7048ba8398fff2c33a09475d0070458ab71a323278b9756beb8f08651dc7.exe	80
PID 868 wrote to memory of 4844	868	cc4b7048ba8398fff2c33a09475d0070458ab71a323278b9756beb8f08651dc7.exe	80
PID 4844 wrote to memory of 4900	4844	cmd.exe	82
PID 4844 wrote to memory of 4900	4844	cmd.exe	82
PID 4844 wrote to memory of 4900	4844	cmd.exe	82
PID 4844 wrote to memory of 1740	4844	cmd.exe	83
PID 4844 wrote to memory of 1740	4844	cmd.exe	83
PID 4844 wrote to memory of 1740	4844	cmd.exe	83
PID 4844 wrote to memory of 388	4844	cmd.exe	84
PID 4844 wrote to memory of 388	4844	cmd.exe	84
PID 4844 wrote to memory of 388	4844	cmd.exe	84
PID 4844 wrote to memory of 1748	4844	cmd.exe	85
PID 4844 wrote to memory of 1748	4844	cmd.exe	85
PID 4844 wrote to memory of 1748	4844	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\cc4b7048ba8398fff2c33a09475d0070458ab71a323278b9756beb8f08651dc7.exe
"C:\Users\Admin\AppData\Local\Temp\cc4b7048ba8398fff2c33a09475d0070458ab71a323278b9756beb8f08651dc7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3d5abffa6a5e01c394d7c4ffeaf0e887

SHA1
4b8eebaa58dca50038bb7d9948ff23b0f33cf275

SHA256
b31b95ca04387462cd4e8f6a614419d54d204dec7c202bcc4fe5af4041697d79

SHA512
6d698f4673c6cdac47a98cc28d74c305bcd800565335649cad21bbc7ab6ebcbe1cad3f1a01da30660c4474322b16f80cdeb9427fa305070f867e72ebecd1c19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
479109f65df226a0c884a891982507f3

SHA1
c8c3a292ae5bb3c400431a166fa2c7b176e7db44

SHA256
5fa26a6fe6458ba5533c0f42913701b8270894aa1f76adb519e60b3354e87566

SHA512
ccc33b5f7a60448ff43c729eae522325f10eca6aaf2ba80177a90a204417a3e004b672426228f7bb39da2a7065fb02f87b330d6070e462e588d20c63505e55bd

Download Submit
memory/388-158-0x0000000070C80000-0x0000000070CCC000-memory.dmp

Filesize
304KB

Download
memory/868-132-0x0000000000F20000-0x0000000000FC8000-memory.dmp

Filesize
672KB

Download
memory/868-133-0x0000000005F30000-0x00000000064D4000-memory.dmp

Filesize
5.6MB

Download
memory/868-134-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/868-135-0x0000000005B10000-0x0000000005B1A000-memory.dmp

Filesize
40KB

Download
memory/868-136-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/1740-146-0x0000000070C80000-0x0000000070CCC000-memory.dmp

Filesize
304KB

Download
memory/1740-151-0x00000000079A0000-0x0000000007A36000-memory.dmp

Filesize
600KB

Download
memory/1740-144-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/1740-145-0x00000000075D0000-0x0000000007602000-memory.dmp

Filesize
200KB

Download
memory/1740-142-0x0000000005C10000-0x0000000005C32000-memory.dmp

Filesize
136KB

Download
memory/1740-147-0x0000000006980000-0x000000000699E000-memory.dmp

Filesize
120KB

Download
memory/1740-148-0x0000000007D80000-0x00000000083FA000-memory.dmp

Filesize
6.5MB

Download
memory/1740-149-0x0000000007720000-0x000000000773A000-memory.dmp

Filesize
104KB

Download
memory/1740-150-0x0000000007770000-0x000000000777A000-memory.dmp

Filesize
40KB

Download
memory/1740-143-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/1740-152-0x0000000007940000-0x000000000794E000-memory.dmp

Filesize
56KB

Download
memory/1740-153-0x0000000007A40000-0x0000000007A5A000-memory.dmp

Filesize
104KB

Download
memory/1740-154-0x0000000007980000-0x0000000007988000-memory.dmp

Filesize
32KB

Download
memory/1740-141-0x00000000054E0000-0x0000000005B08000-memory.dmp

Filesize
6.2MB

Download
memory/1740-140-0x0000000002A20000-0x0000000002A56000-memory.dmp

Filesize
216KB

Download
memory/1748-161-0x0000000070C80000-0x0000000070CCC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads