2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926

General

Target

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Size

308KB
MD5

d255a9cc1c1fa4a08e322543673bcb7e
SHA1

b3ea990c7f730eb61ff4ed87748b150e34dbc76c
SHA256

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926
SHA512

a84b58693e1d5fe4e9d734b058c965a0bd1b0e64894c7dc301929eff31001fd39d31e0ee8d39e31122cf4e6b45def9ea38c5a1535c691fc6a53ceec86fcf1bd7
SSDEEP

6144:ikIZp16d70R3eArX76KRoGOAGw1nYCAtIRJNTu+SnumvMS1leV6EITBsllw:ikLdgR3e2GKKGOsUI0+VS10VCal

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

pid process

4924 2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

pid	process
4924	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

description	pid	process	target process
PID 1332 set thread context of 4924	1332	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3732 4924 WerFault.exe 2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

description pid process

Token: SeDebugPrivilege 1332 2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

pid	pid_target	process	target process
3732	4924	WerFault.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

description	pid	process
Token: SeDebugPrivilege	1332	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.execsc.exe

description	pid	process	target process
PID 1332 wrote to memory of 4764	1332	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	csc.exe
PID 1332 wrote to memory of 4764	1332	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	csc.exe
PID 1332 wrote to memory of 4764	1332	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	csc.exe
PID 4764 wrote to memory of 4032	4764	csc.exe	cvtres.exe
PID 4764 wrote to memory of 4032	4764	csc.exe	cvtres.exe
PID 4764 wrote to memory of 4032	4764	csc.exe	cvtres.exe
PID 1332 wrote to memory of 4924	1332	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
PID 1332 wrote to memory of 4924	1332	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
PID 1332 wrote to memory of 4924	1332	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
PID 1332 wrote to memory of 4924	1332	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
PID 1332 wrote to memory of 4924	1332	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe	2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe

C:\Users\Admin\AppData\Local\Temp\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
"C:\Users\Admin\AppData\Local\Temp\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q9kg2mzh.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34CC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC34CB.tmp"
3⤵
PID:4032

C:\Users\Admin\AppData\Roaming\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
C:\Users\Admin\AppData\Roaming\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
2⤵
- Executes dropped EXE
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 12
3⤵
- Program crash
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4924 -ip 4924
1⤵
PID:216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES34CC.tmp
Filesize
1KB

MD5
081f9fd10e00a39dfa23f2a00071816e

SHA1
4a1ddc2ccc4d1835b7f12f5042a7b3428522276e

SHA256
d390a55ca02d08a840a1fc631bb0a6a8967d245cc6157c422a340d87365822e4

SHA512
d28f809a9e728895ad8911a3cc3223de6647fad878bb223025d25a5927ac3697a39b38b486677e027301e90ac390607f5eba5ded4c9a0caddb0685c208262310

Download Submit
C:\Users\Admin\AppData\Local\Temp\q9kg2mzh.dll
Filesize
5KB

MD5
2c8f54e4ff614c005751cf4399c4f411

SHA1
8d6a04969486e83b2e1000c7dfd4fc771a10831a

SHA256
567d032363cbc652718a1607928c54ea849c23b4d32b6cecab7264b1d057d512

SHA512
f06694e62d742ccacc8519848042d1c9208b3b48189db5d29a15837f2e91230b1b9792eac3504d84b1799ab6d58461ccf3058d04f9235ab43e5c2dddd8599479

Download Submit
C:\Users\Admin\AppData\Roaming\2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC34CB.tmp
Filesize
652B

MD5
b904dc075251b93df68a0aababeaffbe

SHA1
2ff2564a319ac90b2fe53fd1252716077c7dca85

SHA256
c5fe0908eaec54a5b41ad68b98217290182bd53da9b64664d78673a37eb7c2ee

SHA512
96b133b6de13971a4ede0e9ff9419736a07b75238e4bd1619d5b476483d9289af1645df892604b7f52810ca07c65b57506e5a3c532e07ac7b1a64192e2d54d60

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q9kg2mzh.0.cs
Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q9kg2mzh.cmdline
Filesize
206B

MD5
0939355fe9fcbe4410ee30e22fe53718

SHA1
b41bf98a146c2a44f37fe145dad0ec530cbf4210

SHA256
ed5cff3c88dd4adce4af51c8ce7e44058017380dcaa287afc4ce3676a9bc8198

SHA512
122e970dafca041a96bde8984336620fabe3aa694336272ccf6dc387d6b1dea48291bcbc1824d8ec6f886be80ed5f5db73de6064fd1e14d69d8e674a0e918ff0

Download Submit
memory/1332-132-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/1332-133-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/1332-144-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4032-137-0x0000000000000000-mapping.dmp

Download
memory/4764-134-0x0000000000000000-mapping.dmp

Download
memory/4924-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing