79ee06b346525550714c2c84b8fc738fa4f0d261a43b548d9705c36902e25d6e

General

Target

79ee06b346525550714c2c84b8fc738fa4f0d261a43b548d9705c36902e25d6e.exe
Size

730KB
MD5

9abc4b4b2123372fc5708b34fc26c888
SHA1

b2e3b413ea1a31b72f773614835e18e42befee83
SHA256

79ee06b346525550714c2c84b8fc738fa4f0d261a43b548d9705c36902e25d6e
SHA512

a718dedc776e04bf9ddf7790ce68fec7edbe6dd8435b31a9c5d50ca945f2f489703f597ff69b9f88bc357837c5d46a703b9fccfdedf23e09bf23bddea7c1ba57
SSDEEP

768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2676	powershell.exe
2676	powershell.exe
4388	powershell.exe
4388	powershell.exe
2760	powershell.exe
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	5112	79ee06b346525550714c2c84b8fc738fa4f0d261a43b548d9705c36902e25d6e.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 764	5112	79ee06b346525550714c2c84b8fc738fa4f0d261a43b548d9705c36902e25d6e.exe	83
PID 5112 wrote to memory of 764	5112	79ee06b346525550714c2c84b8fc738fa4f0d261a43b548d9705c36902e25d6e.exe	83
PID 5112 wrote to memory of 764	5112	79ee06b346525550714c2c84b8fc738fa4f0d261a43b548d9705c36902e25d6e.exe	83
PID 764 wrote to memory of 1400	764	cmd.exe	85
PID 764 wrote to memory of 1400	764	cmd.exe	85
PID 764 wrote to memory of 1400	764	cmd.exe	85
PID 764 wrote to memory of 2676	764	cmd.exe	86
PID 764 wrote to memory of 2676	764	cmd.exe	86
PID 764 wrote to memory of 2676	764	cmd.exe	86
PID 764 wrote to memory of 4388	764	cmd.exe	87
PID 764 wrote to memory of 4388	764	cmd.exe	87
PID 764 wrote to memory of 4388	764	cmd.exe	87
PID 764 wrote to memory of 2760	764	cmd.exe	88
PID 764 wrote to memory of 2760	764	cmd.exe	88
PID 764 wrote to memory of 2760	764	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\79ee06b346525550714c2c84b8fc738fa4f0d261a43b548d9705c36902e25d6e.exe
"C:\Users\Admin\AppData\Local\Temp\79ee06b346525550714c2c84b8fc738fa4f0d261a43b548d9705c36902e25d6e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bade1b6824a440738c692141e84e9b3d

SHA1
9d2f130ff58382b23ee79a00e1e008b2c699042e

SHA256
445582a0c3c4c2b14e79dd8c8a3b15773ec75d69aab870a2aae0937b1ca877d5

SHA512
faf5cfe978157fb77f84703615fa0abe59929868744a178fbd3f2a81439a442251139d866ff45dec68a7b3020d5d51dd932975d6ba0325a958e7b0a4f5d3d3ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7bff0abbde5f8fd1d69e38c60c312a84

SHA1
938030e80a50f559e780b854454793abd14e6f3e

SHA256
8b6be1651f2279ba77d792dc9c08a1f38dcf6c64b1b0ba1d6ca3402d4fdc3898

SHA512
04bc3e0b855029a8075d67261e25da1ed2ee4ca23c7627cccf6dad30650297fe0f8498fb2486b4387cdadd98525c7c9ca1f865a77d2ca2c15bb1c58319856d3c

Download Submit
memory/2676-146-0x00000000704C0000-0x000000007050C000-memory.dmp

Filesize
304KB

Download
memory/2676-150-0x00000000077B0000-0x00000000077BA000-memory.dmp

Filesize
40KB

Download
memory/2676-140-0x0000000004E70000-0x0000000004EA6000-memory.dmp

Filesize
216KB

Download
memory/2676-141-0x0000000005660000-0x0000000005C88000-memory.dmp

Filesize
6.2MB

Download
memory/2676-142-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/2676-143-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/2676-144-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/2676-145-0x00000000069F0000-0x0000000006A22000-memory.dmp

Filesize
200KB

Download
memory/2676-154-0x00000000079C0000-0x00000000079C8000-memory.dmp

Filesize
32KB

Download
memory/2676-147-0x00000000069D0000-0x00000000069EE000-memory.dmp

Filesize
120KB

Download
memory/2676-148-0x0000000007DC0000-0x000000000843A000-memory.dmp

Filesize
6.5MB

Download
memory/2676-149-0x0000000007760000-0x000000000777A000-memory.dmp

Filesize
104KB

Download
memory/2676-153-0x0000000007A80000-0x0000000007A9A000-memory.dmp

Filesize
104KB

Download
memory/2676-151-0x00000000079E0000-0x0000000007A76000-memory.dmp

Filesize
600KB

Download
memory/2676-152-0x0000000007980000-0x000000000798E000-memory.dmp

Filesize
56KB

Download
memory/2760-161-0x00000000704C0000-0x000000007050C000-memory.dmp

Filesize
304KB

Download
memory/4388-158-0x00000000704C0000-0x000000007050C000-memory.dmp

Filesize
304KB

Download
memory/5112-136-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/5112-132-0x0000000000C00000-0x0000000000CA8000-memory.dmp

Filesize
672KB

Download
memory/5112-135-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/5112-134-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/5112-133-0x0000000005D30000-0x00000000062D4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads