59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401

General

Target

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
Size

440KB
MD5

b974a3e84e7f1c206afe18433533e6b6
SHA1

a7195b3f724ad8d2fdc5e7eb2c55bed57c42b8b0
SHA256

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401
SHA512

11b9d491460120df77a512de85d5cb475ce307b48613ec30ee12133041b1a10a4be249a58428058f3f2f3bce39274270a5800503b4e242fff6ae5516162217d0
SSDEEP

6144:+876q/2f9h5R6kUf8UYDlEHph29O/uRINK2UckLjAV+5alk9v:+8r2HfUf81DmJYO/koMAYa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

GXbBiXVrXEJCyuA.exe

pid process

1536 GXbBiXVrXEJCyuA.exe
Deletes itself 1 IoCs

Processes:

GXbBiXVrXEJCyuA.exe

pid process

1536 GXbBiXVrXEJCyuA.exe

pid	process
1536	GXbBiXVrXEJCyuA.exe

pid	process
1536	GXbBiXVrXEJCyuA.exe

Drops file in System32 directory 2 IoCs

Processes:

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\2ete64.vas
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\2ete64.vas

Drops file in Windows directory 3 IoCs

Processes:

GXbBiXVrXEJCyuA.exe59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe

description	ioc	process
File opened for modification	C:\Windows\GXbBiXVrXEJCyuA.INI	GXbBiXVrXEJCyuA.exe
File opened for modification	C:\Windows\59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.INI	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
File created	C:\Windows\GXbBiXVrXEJCyuA.exe	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exeGXbBiXVrXEJCyuA.exe

pid	process
2000	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
1536	GXbBiXVrXEJCyuA.exe
1536	GXbBiXVrXEJCyuA.exe
1536	GXbBiXVrXEJCyuA.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

GXbBiXVrXEJCyuA.exe

pid process

1536 GXbBiXVrXEJCyuA.exe

pid	process
1536	GXbBiXVrXEJCyuA.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exeGXbBiXVrXEJCyuA.exe

description	pid	process
Token: SeDebugPrivilege	2000	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
Token: SeDebugPrivilege	1536	GXbBiXVrXEJCyuA.exe
Token: SeDebugPrivilege	588

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exeGXbBiXVrXEJCyuA.exe

pid	process
2000	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
2000	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
1536	GXbBiXVrXEJCyuA.exe
1536	GXbBiXVrXEJCyuA.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exeGXbBiXVrXEJCyuA.exe

pid process

2000 59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
1536 GXbBiXVrXEJCyuA.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe

description	pid	process	target process
PID 2000 wrote to memory of 1536	2000	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe	GXbBiXVrXEJCyuA.exe
PID 2000 wrote to memory of 1536	2000	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe	GXbBiXVrXEJCyuA.exe
PID 2000 wrote to memory of 1536	2000	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe	GXbBiXVrXEJCyuA.exe
PID 2000 wrote to memory of 1536	2000	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe	GXbBiXVrXEJCyuA.exe

C:\Users\Admin\AppData\Local\Temp\59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
"C:\Users\Admin\AppData\Local\Temp\59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\GXbBiXVrXEJCyuA.exe
C:\Users\Admin\AppData\Local\Temp\59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:1536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GXbBiXVrXEJCyuA.exe

Filesize
440KB

MD5
b974a3e84e7f1c206afe18433533e6b6

SHA1
a7195b3f724ad8d2fdc5e7eb2c55bed57c42b8b0

SHA256
59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401

SHA512
11b9d491460120df77a512de85d5cb475ce307b48613ec30ee12133041b1a10a4be249a58428058f3f2f3bce39274270a5800503b4e242fff6ae5516162217d0

Download Submit
memory/588-65-0x0000000000440000-0x0000000000472000-memory.dmp

Filesize
200KB

Download
memory/588-66-0x0000000000480000-0x00000000004B6000-memory.dmp

Filesize
216KB

Download
memory/588-68-0x0000000000480000-0x00000000004B6000-memory.dmp

Filesize
216KB

Download
memory/1536-57-0x0000000000000000-mapping.dmp

Download
memory/1536-63-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1536-64-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1536-67-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2000-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/2000-55-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2000-59-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads