fa157916d38fe1c035ceaa44e7cb7d8be1661b7ca7e2ea36b0932103ec09eb76

General

Target

fa157916d38fe1c035ceaa44e7cb7d8be1661b7ca7e2ea36b0932103ec09eb76.exe
Size

1.3MB
MD5

ab5cd542de38a7c9e7cd9797217dc491
SHA1

e5be8bc5b35ed0332ff534c3e122140852a6af99
SHA256

fa157916d38fe1c035ceaa44e7cb7d8be1661b7ca7e2ea36b0932103ec09eb76
SHA512

3555f0d3003ce5f82e229136d734eee92fb3b41cdbec616cf8dce447a834b6db89d71599ab9506ad792a3ac7f9e14b909535121d46496ed7ed25c80bda8451aa
SSDEEP

24576:xfLbwMKbA+tpEnIfjuyV9g2mNvBEenlm0qifEo5M5jkVBCSKmlySxM:FbwBaUOvLnlpp/FFxM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1976	tmp7DYIO.exe
1544	tmp7DYIO.exe

Loads dropped DLL 1 IoCs

pid	Process
1976	tmp7DYIO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 1544	1976	tmp7DYIO.exe	32

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1976	tmp7DYIO.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	tmp7DYIO.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 1372	268	fa157916d38fe1c035ceaa44e7cb7d8be1661b7ca7e2ea36b0932103ec09eb76.exe	28
PID 268 wrote to memory of 1372	268	fa157916d38fe1c035ceaa44e7cb7d8be1661b7ca7e2ea36b0932103ec09eb76.exe	28
PID 268 wrote to memory of 1372	268	fa157916d38fe1c035ceaa44e7cb7d8be1661b7ca7e2ea36b0932103ec09eb76.exe	28
PID 1372 wrote to memory of 1420	1372	cmd.exe	30
PID 1372 wrote to memory of 1420	1372	cmd.exe	30
PID 1372 wrote to memory of 1420	1372	cmd.exe	30
PID 1420 wrote to memory of 1976	1420	wscript.exe	31
PID 1420 wrote to memory of 1976	1420	wscript.exe	31
PID 1420 wrote to memory of 1976	1420	wscript.exe	31
PID 1420 wrote to memory of 1976	1420	wscript.exe	31
PID 1976 wrote to memory of 1544	1976	tmp7DYIO.exe	32
PID 1976 wrote to memory of 1544	1976	tmp7DYIO.exe	32
PID 1976 wrote to memory of 1544	1976	tmp7DYIO.exe	32
PID 1976 wrote to memory of 1544	1976	tmp7DYIO.exe	32
PID 1976 wrote to memory of 1544	1976	tmp7DYIO.exe	32
PID 1976 wrote to memory of 1544	1976	tmp7DYIO.exe	32
PID 1976 wrote to memory of 1544	1976	tmp7DYIO.exe	32
PID 1976 wrote to memory of 1544	1976	tmp7DYIO.exe	32
PID 1976 wrote to memory of 1544	1976	tmp7DYIO.exe	32
PID 1976 wrote to memory of 1544	1976	tmp7DYIO.exe	32
PID 1976 wrote to memory of 1544	1976	tmp7DYIO.exe	32
PID 1976 wrote to memory of 1544	1976	tmp7DYIO.exe	32

C:\Users\Admin\AppData\Local\Temp\fa157916d38fe1c035ceaa44e7cb7d8be1661b7ca7e2ea36b0932103ec09eb76.exe
"C:\Users\Admin\AppData\Local\Temp\fa157916d38fe1c035ceaa44e7cb7d8be1661b7ca7e2ea36b0932103ec09eb76.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\system32\cmd.exe
  "cmd" /c cd %temp% & wscript //nologo tmp7DYIO.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\system32\wscript.exe
    wscript //nologo tmp7DYIO.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\tmp7DYIO.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7DYIO.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Users\Admin\AppData\Local\Temp\tmp7DYIO.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7DYIO.exe
        5⤵
        Executes dropped EXE
        
        PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7DYIO-.txt

Filesize
918KB

MD5
3d757d3d75e92b687aeb705230f36b4c

SHA1
0247981e6d8d39b3232405158ef9b56dffc5ac18

SHA256
2fad819f152229420ebc9a5e5bf84d3e6f05cd44278f3dd0baa3c9f0a7bfe515

SHA512
6f629f9ec22f7c8012543510430eede1cc52b0c02795d0c012702c432928f8aef1a958ed03b613ce59edb068961ffef9a5b603ba535a210d7d6273e51cfe5be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7DYIO.exe

Filesize
918KB

MD5
3d757d3d75e92b687aeb705230f36b4c

SHA1
0247981e6d8d39b3232405158ef9b56dffc5ac18

SHA256
2fad819f152229420ebc9a5e5bf84d3e6f05cd44278f3dd0baa3c9f0a7bfe515

SHA512
6f629f9ec22f7c8012543510430eede1cc52b0c02795d0c012702c432928f8aef1a958ed03b613ce59edb068961ffef9a5b603ba535a210d7d6273e51cfe5be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7DYIO.exe

Filesize
918KB

MD5
3d757d3d75e92b687aeb705230f36b4c

SHA1
0247981e6d8d39b3232405158ef9b56dffc5ac18

SHA256
2fad819f152229420ebc9a5e5bf84d3e6f05cd44278f3dd0baa3c9f0a7bfe515

SHA512
6f629f9ec22f7c8012543510430eede1cc52b0c02795d0c012702c432928f8aef1a958ed03b613ce59edb068961ffef9a5b603ba535a210d7d6273e51cfe5be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7DYIO.vbs

Filesize
266B

MD5
f0cbdd9d905b0188e27c874e472b7372

SHA1
0508165147dfbbba505dd03b584323b42d461137

SHA256
6ea60065846327c2ffb15739c0f548cc48d82d3a0ffb7869f2f0a31d77e2d65d

SHA512
705cf34806c021dbb8f09bf439781573241b675628f0562f80ebf75aba43eb66db3e187df363f533c9d047fe53ef118b9e3ac894fbad304cd77aa2cf3d603b0d

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7DYIO.exe

Filesize
918KB

MD5
3d757d3d75e92b687aeb705230f36b4c

SHA1
0247981e6d8d39b3232405158ef9b56dffc5ac18

SHA256
2fad819f152229420ebc9a5e5bf84d3e6f05cd44278f3dd0baa3c9f0a7bfe515

SHA512
6f629f9ec22f7c8012543510430eede1cc52b0c02795d0c012702c432928f8aef1a958ed03b613ce59edb068961ffef9a5b603ba535a210d7d6273e51cfe5be6

Download Submit
memory/268-55-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download
memory/268-54-0x0000000001060000-0x00000000011AC000-memory.dmp

Filesize
1.3MB

Download
memory/1544-64-0x00000000001D0000-0x00000000002CA000-memory.dmp

Filesize
1000KB

Download
memory/1544-77-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1544-66-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1544-67-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1544-69-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1544-71-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1544-75-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1544-73-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1976-76-0x00000000004C0000-0x00000000004C4000-memory.dmp

Filesize
16KB

Download
memory/1976-62-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/1976-74-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-80-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing