2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe

General

Target

2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
Size

270KB
MD5

b956bce75c05e483f6b6e5a87a78da60
SHA1

cfa722912249d42d8f713918ea85f02c1f9e22d1
SHA256

2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe
SHA512

6f73a55cce3f91726342b05d5170a29dfa5407c7f8360339ae65a7bcad4226e65a41030650b659f59b843d01a902a163379d1650bd9b98abda107254c11439fb
SSDEEP

3072:F90nbyJIZIascP+NjVyBjA+ACL/eUNZItRoHHjAD0M1BQBKOnFpJCGGGGG9M2hd:keCfs4+VCA+FL2UNZlH6loK7GGGGGG2D

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

tosy.exetosy.exe

pid process

2040 tosy.exe
3096 tosy.exe

pid	process
2040	tosy.exe
3096	tosy.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exetosy.exe

description	pid	process	target process
PID 4524 set thread context of 4796	4524	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 2040 set thread context of 3096	2040	tosy.exe	tosy.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tosy.exe

pid process

3096 tosy.exe
3096 tosy.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe

description pid process

Token: SeSecurityPrivilege 4796 2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe

pid	process
3096	tosy.exe
3096	tosy.exe

description	pid	process
Token: SeSecurityPrivilege	4796	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exetosy.exetosy.exe

description	pid	process	target process
PID 4524 wrote to memory of 4796	4524	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 4524 wrote to memory of 4796	4524	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 4524 wrote to memory of 4796	4524	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 4524 wrote to memory of 4796	4524	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 4524 wrote to memory of 4796	4524	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 4524 wrote to memory of 4796	4524	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 4524 wrote to memory of 4796	4524	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 4524 wrote to memory of 4796	4524	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 4524 wrote to memory of 4796	4524	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 4796 wrote to memory of 2040	4796	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	tosy.exe
PID 4796 wrote to memory of 2040	4796	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	tosy.exe
PID 4796 wrote to memory of 2040	4796	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	tosy.exe
PID 2040 wrote to memory of 3096	2040	tosy.exe	tosy.exe
PID 2040 wrote to memory of 3096	2040	tosy.exe	tosy.exe
PID 2040 wrote to memory of 3096	2040	tosy.exe	tosy.exe
PID 2040 wrote to memory of 3096	2040	tosy.exe	tosy.exe
PID 2040 wrote to memory of 3096	2040	tosy.exe	tosy.exe
PID 2040 wrote to memory of 3096	2040	tosy.exe	tosy.exe
PID 2040 wrote to memory of 3096	2040	tosy.exe	tosy.exe
PID 2040 wrote to memory of 3096	2040	tosy.exe	tosy.exe
PID 2040 wrote to memory of 3096	2040	tosy.exe	tosy.exe
PID 3096 wrote to memory of 4296	3096	tosy.exe	explorer.exe
PID 3096 wrote to memory of 4296	3096	tosy.exe	explorer.exe
PID 3096 wrote to memory of 4296	3096	tosy.exe	explorer.exe
PID 3096 wrote to memory of 4296	3096	tosy.exe	explorer.exe
PID 3096 wrote to memory of 4296	3096	tosy.exe	explorer.exe
PID 3096 wrote to memory of 4296	3096	tosy.exe	explorer.exe
PID 3096 wrote to memory of 4296	3096	tosy.exe	explorer.exe
PID 3096 wrote to memory of 4296	3096	tosy.exe	explorer.exe
PID 3096 wrote to memory of 4296	3096	tosy.exe	explorer.exe
PID 3096 wrote to memory of 4296	3096	tosy.exe	explorer.exe
PID 4796 wrote to memory of 2592	4796	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	cmd.exe
PID 4796 wrote to memory of 2592	4796	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	cmd.exe
PID 4796 wrote to memory of 2592	4796	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	cmd.exe
PID 3096 wrote to memory of 2592	3096	tosy.exe	cmd.exe
PID 3096 wrote to memory of 2592	3096	tosy.exe	cmd.exe
PID 3096 wrote to memory of 2592	3096	tosy.exe	cmd.exe
PID 3096 wrote to memory of 2592	3096	tosy.exe	cmd.exe
PID 3096 wrote to memory of 2592	3096	tosy.exe	cmd.exe
PID 3096 wrote to memory of 2592	3096	tosy.exe	cmd.exe
PID 3096 wrote to memory of 2592	3096	tosy.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
"C:\Users\Admin\AppData\Local\Temp\2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
"C:\Users\Admin\AppData\Local\Temp\2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796

C:\Users\Admin\AppData\Roaming\Zaruy\tosy.exe
"C:\Users\Admin\AppData\Roaming\Zaruy\tosy.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Roaming\Zaruy\tosy.exe
"C:\Users\Admin\AppData\Roaming\Zaruy\tosy.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
5⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4525323c.bat"
3⤵
PID:2592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4525323c.bat
Filesize
307B

MD5
896716dd3a77d8f64771ccb2c45b8e1f

SHA1
7e1e8481cf63fd277714b698d2f430ff5f13ec60

SHA256
01dbd0949303de5bff6db342f04260305a3df4992118dc94cc8d26f45366b6e8

SHA512
83d6f3bbc2124284c1d70faea8fbcd9dd692cfcad974d9bd7fced4619699ebc277841ac7aaa248478d4bcf5ff8976607b437b70d6e570c124081c333faa034b0

Download Submit
C:\Users\Admin\AppData\Roaming\Zaruy\tosy.exe
Filesize
270KB

MD5
799a3d177df01c511275ea180c054180

SHA1
d81c207345b0d266b2c49822ceca8d99a7385e9a

SHA256
134721ccddb5ab87a24e796da8dbf64e52ddd826f867608b0fe0e6a70d704b50

SHA512
dbd0cf8ffa6ae477996e0e8682f22f3308720ec6ff66fa927721457fadaeabd3ece3e4b5313c041aea0bda442eda6bc1a699dec43088af6a37f05a948d66c19b

Download Submit
C:\Users\Admin\AppData\Roaming\Zaruy\tosy.exe
Filesize
270KB

MD5
799a3d177df01c511275ea180c054180

SHA1
d81c207345b0d266b2c49822ceca8d99a7385e9a

SHA256
134721ccddb5ab87a24e796da8dbf64e52ddd826f867608b0fe0e6a70d704b50

SHA512
dbd0cf8ffa6ae477996e0e8682f22f3308720ec6ff66fa927721457fadaeabd3ece3e4b5313c041aea0bda442eda6bc1a699dec43088af6a37f05a948d66c19b

Download Submit
C:\Users\Admin\AppData\Roaming\Zaruy\tosy.exe
Filesize
270KB

MD5
799a3d177df01c511275ea180c054180

SHA1
d81c207345b0d266b2c49822ceca8d99a7385e9a

SHA256
134721ccddb5ab87a24e796da8dbf64e52ddd826f867608b0fe0e6a70d704b50

SHA512
dbd0cf8ffa6ae477996e0e8682f22f3308720ec6ff66fa927721457fadaeabd3ece3e4b5313c041aea0bda442eda6bc1a699dec43088af6a37f05a948d66c19b

Download Submit
memory/2040-138-0x0000000000000000-mapping.dmp

Download
memory/2592-152-0x0000000000A10000-0x0000000000A3C000-memory.dmp

Filesize
176KB

Download
memory/2592-149-0x0000000000000000-mapping.dmp

Download
memory/3096-148-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3096-153-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3096-142-0x0000000000000000-mapping.dmp

Download
memory/4296-154-0x0000000000E80000-0x0000000000EAC000-memory.dmp

Filesize
176KB

Download
memory/4296-147-0x0000000000000000-mapping.dmp

Download
memory/4796-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4796-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4796-150-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4796-132-0x0000000000000000-mapping.dmp

Download
memory/4796-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4796-135-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4796-133-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing