ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a

General

Target

ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe
Size

758KB
MD5

5ab3a852e4fb635e1453387d2a2cdfe9
SHA1

3d4dfc906d3377677fb6f717c21b422be699337d
SHA256

ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a
SHA512

7eab7971328ae99203a29829e2ed93081a901c337dad2d4d5cc25c78f350a5afd78e8d5872c9d28b31451421f9128055cc42f2533b2d50e43a5a90d8d0f526ce
SSDEEP

12288:1RkTyklU4g/P/tZEW5A0zypvJwQ5oAlK+6gMv9bIk6bQQ52LSRgF8b5sZ6zMm:/UFU4g3DEW5A20Jr/k2MvhIk64eH4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1772	Email.exe

Deletes itself 1 IoCs

pid	Process
1684	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1772 set thread context of 1384	1772	Email.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Email.exe	ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe
File opened for modification	C:\Program Files (x86)\Email.exe	ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe
Token: SeDebugPrivilege	1772	Email.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1684	1164	ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe	30
PID 1164 wrote to memory of 1684	1164	ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe	30
PID 1164 wrote to memory of 1684	1164	ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe	30
PID 1164 wrote to memory of 1684	1164	ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe	30
PID 1164 wrote to memory of 1684	1164	ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe	30
PID 1164 wrote to memory of 1684	1164	ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe	30
PID 1164 wrote to memory of 1684	1164	ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe	30
PID 1772 wrote to memory of 1384	1772	Email.exe	29
PID 1772 wrote to memory of 1384	1772	Email.exe	29
PID 1772 wrote to memory of 1384	1772	Email.exe	29
PID 1772 wrote to memory of 1384	1772	Email.exe	29
PID 1772 wrote to memory of 1384	1772	Email.exe	29
PID 1772 wrote to memory of 1384	1772	Email.exe	29

C:\Users\Admin\AppData\Local\Temp\ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe
"C:\Users\Admin\AppData\Local\Temp\ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:1684

C:\Program Files (x86)\Email.exe
"C:\Program Files (x86)\Email.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe................
  2⤵
  PID:1384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Email.exe

Filesize
758KB

MD5
5ab3a852e4fb635e1453387d2a2cdfe9

SHA1
3d4dfc906d3377677fb6f717c21b422be699337d

SHA256
ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a

SHA512
7eab7971328ae99203a29829e2ed93081a901c337dad2d4d5cc25c78f350a5afd78e8d5872c9d28b31451421f9128055cc42f2533b2d50e43a5a90d8d0f526ce

Download Submit
C:\Program Files (x86)\Email.exe

Filesize
758KB

MD5
5ab3a852e4fb635e1453387d2a2cdfe9

SHA1
3d4dfc906d3377677fb6f717c21b422be699337d

SHA256
ee92d573420092eeed3c704f0eabaf464617a6e338dc9c98282779f619524f0a

SHA512
7eab7971328ae99203a29829e2ed93081a901c337dad2d4d5cc25c78f350a5afd78e8d5872c9d28b31451421f9128055cc42f2533b2d50e43a5a90d8d0f526ce

Download Submit
C:\Windows\uninstal.bat

Filesize
152B

MD5
2c8817f96ef3909bfc35c3c66cf6664e

SHA1
6b99e8a97d238d7b04c7166922bff6d520584f7a

SHA256
0b6d7da9baa3620c6e1fc033c607da4c7131519476842595d5af8c5c5c6a57e4

SHA512
08b67f513ae97d859b6a385111de34d9102ed0df907c6755b266b97d2b063ebb018de00e827f634538bb805a38ec1b599c185dc95293454157c64da8f0b3fde4

Download Submit
memory/1164-54-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1164-55-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/1164-56-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1384-62-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1384-64-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1384-65-0x00000000004A1E48-mapping.dmp

Download
memory/1684-61-0x0000000000000000-mapping.dmp

Download
memory/1772-60-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1772-67-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing