f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f

General

Target

f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
Size

322KB
MD5

75580b956deb96405be09b3b12c1236b
SHA1

95b4c11e76af988f599e86048e68352e45e27344
SHA256

f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f
SHA512

5fdda83c74e8922ff0c6520cf3cf5550878f31f85e718d696fa7fde150bd212bf5d270142dd94ae8dee1f7a5af7f6444360d03bbd48f0d4525d05f37a8675ca5
SSDEEP

6144:kncod+WTL+lgRPgjaOi1aY8VK2ZPIzAw+9ScTi:XS+WTL+lgRS3i0VK29IcJ9ti

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\str.sys	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe

Drops file in System32 directory 2 IoCs

Processes:

f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\nethost.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
File opened for modification	C:\Windows\SysWOW64\nethost.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exef50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe

description	pid	process	target process
PID 852 set thread context of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 284 set thread context of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exef50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exef50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe

pid	process
852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe

description	pid	process
Token: SeDebugPrivilege	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
Token: SeDebugPrivilege	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exef50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exef50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe

description	pid	process	target process
PID 852 wrote to memory of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 852 wrote to memory of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 852 wrote to memory of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 852 wrote to memory of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 852 wrote to memory of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 852 wrote to memory of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 852 wrote to memory of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 852 wrote to memory of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 852 wrote to memory of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 852 wrote to memory of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 852 wrote to memory of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 852 wrote to memory of 1220	852	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 1220 wrote to memory of 584	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 584	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 668	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 668	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 752	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 752	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 800	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 800	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 844	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 844	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 876	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 876	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 300	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 300	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 1076	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 1076	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 964	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 964	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	svchost.exe
PID 1220 wrote to memory of 1212	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	Explorer.EXE
PID 1220 wrote to memory of 1212	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	Explorer.EXE
PID 1220 wrote to memory of 284	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 1220 wrote to memory of 284	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 1220 wrote to memory of 284	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 1220 wrote to memory of 284	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 1220 wrote to memory of 1528	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	cmd.exe
PID 1220 wrote to memory of 1528	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	cmd.exe
PID 1220 wrote to memory of 1528	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	cmd.exe
PID 1220 wrote to memory of 1528	1220	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	cmd.exe
PID 284 wrote to memory of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 284 wrote to memory of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 284 wrote to memory of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 284 wrote to memory of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 284 wrote to memory of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 284 wrote to memory of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 284 wrote to memory of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 284 wrote to memory of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 284 wrote to memory of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 284 wrote to memory of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 284 wrote to memory of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
PID 284 wrote to memory of 904	284	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe	f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:964

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
  "C:\Users\Admin\AppData\Local\Temp\f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
    "C:\Users\Admin\AppData\Local\Temp\f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
      "C:\Users\Admin\AppData\Local\Temp\f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe" /runmain
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:284
    - - C:\Users\Admin\AppData\Local\Temp\f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f50cf14ee372911f23a37ec6fd1b3057679fc3dd28b750c4c4f9f9d889001d8f.exe" /runmain
        5⤵
        Drops file in Drivers directory
        
        PID:904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F50CF1~1.EXE >> NUL
      4⤵
      PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/284-89-0x0000000000000000-mapping.dmp

Download
memory/584-68-0x0000000000360000-0x0000000000383000-memory.dmp

Filesize
140KB

Download
memory/852-65-0x0000000001C80000-0x0000000001CA0000-memory.dmp

Filesize
128KB

Download
memory/904-107-0x0000000000400000-0x0000000000424565-memory.dmp

Filesize
145KB

Download
memory/904-106-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/904-105-0x0000000000270000-0x0000000000293000-memory.dmp

Filesize
140KB

Download
memory/904-102-0x0000000000401ADF-mapping.dmp

Download
memory/1220-67-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1220-64-0x0000000000401ADF-mapping.dmp

Download
memory/1220-63-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1220-54-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1220-61-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1220-73-0x0000000000400000-0x0000000000424565-memory.dmp

Filesize
145KB

Download
memory/1220-60-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1220-91-0x0000000000400000-0x0000000000424565-memory.dmp

Filesize
145KB

Download
memory/1220-59-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1220-58-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1220-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1220-55-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1528-90-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads