efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d

General

Target

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Size

860KB
MD5

dbde22b1a6fbc953fde0c33e0e3680b7
SHA1

3d5cfa8569991508e05465de85af8f0f97ab94dd
SHA256

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d
SHA512

08811f563aee45ac1959e5a159dfd2d7efd065edc6345906207c698ceb669a111944f5910631cca0bf66fbd7f9a8e13dcf2342fa67f637fa99cdfc72903bebb2
SSDEEP

12288:I60a5r6BgBAOI4cha7upZ/5XiX2qc91a6mJntVTN4:qBgBAOI4cs7uf/5SX2HaBJntlN4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

pid process

1968 efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

pid	process
1968	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

description	pid	process	target process
PID 4840 set thread context of 1968	4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

pid	process
4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

description pid process

Token: SeSecurityPrivilege 1968 efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

pid process

4840 efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

description	pid	process
Token: SeSecurityPrivilege	1968	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.execmd.exenet.exe

description	pid	process	target process
PID 4840 wrote to memory of 2204	4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	cmd.exe
PID 4840 wrote to memory of 2204	4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	cmd.exe
PID 4840 wrote to memory of 2204	4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	cmd.exe
PID 4840 wrote to memory of 1968	4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 4840 wrote to memory of 1968	4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 4840 wrote to memory of 1968	4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 4840 wrote to memory of 1968	4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 4840 wrote to memory of 1968	4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 4840 wrote to memory of 1968	4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 4840 wrote to memory of 1968	4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 4840 wrote to memory of 1968	4840	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe	efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
PID 2204 wrote to memory of 3540	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 3540	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 3540	2204	cmd.exe	net.exe
PID 3540 wrote to memory of 4768	3540	net.exe	net1.exe
PID 3540 wrote to memory of 4768	3540	net.exe	net1.exe
PID 3540 wrote to memory of 4768	3540	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
"C:\Users\Admin\AppData\Local\Temp\efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
2⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
C:\Users\Admin\AppData\Local\Temp\efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d.exe
Filesize
860KB

MD5
dbde22b1a6fbc953fde0c33e0e3680b7

SHA1
3d5cfa8569991508e05465de85af8f0f97ab94dd

SHA256
efd326904e220f1affae001f2c5dc97feec11185f297deca17ceda8178220f4d

SHA512
08811f563aee45ac1959e5a159dfd2d7efd065edc6345906207c698ceb669a111944f5910631cca0bf66fbd7f9a8e13dcf2342fa67f637fa99cdfc72903bebb2

Download Submit
memory/1968-134-0x0000000000000000-mapping.dmp

Download
memory/1968-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-133-0x0000000000000000-mapping.dmp

Download
memory/3540-138-0x0000000000000000-mapping.dmp

Download
memory/4768-139-0x0000000000000000-mapping.dmp

Download
memory/4840-132-0x0000000000680000-0x0000000000684000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads