2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1

General

Target

2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
Size

288KB
MD5

1638dd22504ecccdc3bf3e7eb4a84153
SHA1

cff318324ab08d0d0a74a2bed55f9be918093a42
SHA256

2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1
SHA512

75bb4c9332fdffc066604d4abc11e5635d7270f02b93b16c4cc4f2e85ed11852c5ab1abfffa482e033dd1e6392afb9f2bc41a59e7337b11309bd1587bf9b8b60
SSDEEP

3072:WTriyyAIBQBz3giJf17pDKvFbXRu6+HuPtLhn6RWryRlT4quNynx4kpc6Q9RQT/k:JpOzV1dWvVAh2hMWA7Jx4kpyH

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

adsi.exeadsi.exe

pid process

1056 adsi.exe
1400 adsi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1564 cmd.exe

pid	process
1056	adsi.exe
1400	adsi.exe

pid	process
1564	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe

pid	process
1216	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
1216	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exeadsi.exe

description	pid	process	target process
PID 2044 set thread context of 1216	2044	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
PID 1056 set thread context of 1400	1056	adsi.exe	adsi.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

adsi.exe

pid process

1400 adsi.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe

description pid process

Token: SeSecurityPrivilege 1216 2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exeadsi.exe

pid process

2044 2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
1056 adsi.exe

pid	process
1400	adsi.exe

description	pid	process
Token: SeSecurityPrivilege	1216	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe

pid	process
2044	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
1056	adsi.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exeadsi.exe

description	pid	process	target process
PID 2044 wrote to memory of 1216	2044	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
PID 2044 wrote to memory of 1216	2044	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
PID 2044 wrote to memory of 1216	2044	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
PID 2044 wrote to memory of 1216	2044	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
PID 2044 wrote to memory of 1216	2044	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
PID 2044 wrote to memory of 1216	2044	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
PID 2044 wrote to memory of 1216	2044	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
PID 2044 wrote to memory of 1216	2044	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
PID 2044 wrote to memory of 1216	2044	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
PID 1216 wrote to memory of 1056	1216	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	adsi.exe
PID 1216 wrote to memory of 1056	1216	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	adsi.exe
PID 1216 wrote to memory of 1056	1216	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	adsi.exe
PID 1216 wrote to memory of 1056	1216	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	adsi.exe
PID 1056 wrote to memory of 1400	1056	adsi.exe	adsi.exe
PID 1056 wrote to memory of 1400	1056	adsi.exe	adsi.exe
PID 1056 wrote to memory of 1400	1056	adsi.exe	adsi.exe
PID 1056 wrote to memory of 1400	1056	adsi.exe	adsi.exe
PID 1056 wrote to memory of 1400	1056	adsi.exe	adsi.exe
PID 1056 wrote to memory of 1400	1056	adsi.exe	adsi.exe
PID 1056 wrote to memory of 1400	1056	adsi.exe	adsi.exe
PID 1056 wrote to memory of 1400	1056	adsi.exe	adsi.exe
PID 1056 wrote to memory of 1400	1056	adsi.exe	adsi.exe
PID 1216 wrote to memory of 1564	1216	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	cmd.exe
PID 1216 wrote to memory of 1564	1216	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	cmd.exe
PID 1216 wrote to memory of 1564	1216	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	cmd.exe
PID 1216 wrote to memory of 1564	1216	2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
"C:\Users\Admin\AppData\Local\Temp\2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe
"C:\Users\Admin\AppData\Local\Temp\2c8e6d117dda931dc334f92cc2580c7022097c5c994ce1ea193e2ce27ba47db1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Roaming\Kikawu\adsi.exe
"C:\Users\Admin\AppData\Roaming\Kikawu\adsi.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Roaming\Kikawu\adsi.exe
"C:\Users\Admin\AppData\Roaming\Kikawu\adsi.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp67b28980.bat"
3⤵
- Deletes itself
PID:1564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp67b28980.bat

Filesize
307B

MD5
6ba91c1d4dabf1d221b69c3fc126d998

SHA1
ff471c71c654f63764da4a60437720d5f8954e84

SHA256
1b2f0b5c031b0b04c93dc489f33321eb8ae2719f327ad923ae0b78495826c395

SHA512
2c65d8721c79fb8ee626f339326753007f4d3938b5efbdf9a76dfa467631cb129c6758193c32cc7a2b89e725cec207f5febcaadd3dff16827ee2baac020f989c

Download Submit
C:\Users\Admin\AppData\Roaming\Kikawu\adsi.exe

Filesize
288KB

MD5
e30a6568c3b742af00086a70139e4943

SHA1
4c005a183def616c834b8397581df4c0dedb15c1

SHA256
1491cc24fcf5ce5b3a358824ff8411bb28aab1bd18bbbb571f7dc44ee507efec

SHA512
dbcea9b8bd3515f9abcb7f012fa3d1f1ddc514364d39b7ca05350316c4a6b033f1c160644223bd327fea618c82371d506c7e3da00de90398472590791b04fead

Download Submit
C:\Users\Admin\AppData\Roaming\Kikawu\adsi.exe

Filesize
288KB

MD5
e30a6568c3b742af00086a70139e4943

SHA1
4c005a183def616c834b8397581df4c0dedb15c1

SHA256
1491cc24fcf5ce5b3a358824ff8411bb28aab1bd18bbbb571f7dc44ee507efec

SHA512
dbcea9b8bd3515f9abcb7f012fa3d1f1ddc514364d39b7ca05350316c4a6b033f1c160644223bd327fea618c82371d506c7e3da00de90398472590791b04fead

Download Submit
C:\Users\Admin\AppData\Roaming\Kikawu\adsi.exe

Filesize
288KB

MD5
e30a6568c3b742af00086a70139e4943

SHA1
4c005a183def616c834b8397581df4c0dedb15c1

SHA256
1491cc24fcf5ce5b3a358824ff8411bb28aab1bd18bbbb571f7dc44ee507efec

SHA512
dbcea9b8bd3515f9abcb7f012fa3d1f1ddc514364d39b7ca05350316c4a6b033f1c160644223bd327fea618c82371d506c7e3da00de90398472590791b04fead

Download Submit
\Users\Admin\AppData\Roaming\Kikawu\adsi.exe

Filesize
288KB

MD5
e30a6568c3b742af00086a70139e4943

SHA1
4c005a183def616c834b8397581df4c0dedb15c1

SHA256
1491cc24fcf5ce5b3a358824ff8411bb28aab1bd18bbbb571f7dc44ee507efec

SHA512
dbcea9b8bd3515f9abcb7f012fa3d1f1ddc514364d39b7ca05350316c4a6b033f1c160644223bd327fea618c82371d506c7e3da00de90398472590791b04fead

Download Submit
\Users\Admin\AppData\Roaming\Kikawu\adsi.exe

Filesize
288KB

MD5
e30a6568c3b742af00086a70139e4943

SHA1
4c005a183def616c834b8397581df4c0dedb15c1

SHA256
1491cc24fcf5ce5b3a358824ff8411bb28aab1bd18bbbb571f7dc44ee507efec

SHA512
dbcea9b8bd3515f9abcb7f012fa3d1f1ddc514364d39b7ca05350316c4a6b033f1c160644223bd327fea618c82371d506c7e3da00de90398472590791b04fead

Download Submit
memory/1056-70-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1056-75-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1056-66-0x0000000000000000-mapping.dmp

Download
memory/1160-78-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/1216-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1216-60-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1216-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1216-80-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1216-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1216-58-0x0000000000413048-mapping.dmp

Download
memory/1400-73-0x0000000000413048-mapping.dmp

Download
memory/1400-82-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1564-79-0x0000000000000000-mapping.dmp

Download
memory/2044-61-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2044-56-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads