56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7

General

Target

56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
Size

667KB
MD5

4fb79049697939f6c2b8c60572953de4
SHA1

eaf378a864ddd9ead35443c486373c6142958ffd
SHA256

56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7
SHA512

c77e65eda99a98953d3b8ccd1398ebd885891b0d2ea995f55efa740ee56bc18f6b2914d4c7f45f235ada6a4e5e7fb442a7c92313adae264caea0bf2c659b03ba
SSDEEP

12288:oiacQpbKbfOS2KxThTUST8+6NaRO7nZTD7++:oeObKiSxxThUy2aunZ7

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe

pid	process
3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe

description pid process

Token: SeDebugPrivilege 3132 56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe

description	pid	process
Token: SeDebugPrivilege	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe

C:\Users\Admin\AppData\Local\Temp\56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
"C:\Users\Admin\AppData\Local\Temp\56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132

C:\Users\Admin\AppData\Local\Temp\56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
"C:\Users\Admin\AppData\Local\Temp\56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe"
2⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
"C:\Users\Admin\AppData\Local\Temp\56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe"
2⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
"C:\Users\Admin\AppData\Local\Temp\56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe"
2⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
"C:\Users\Admin\AppData\Local\Temp\56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe"
2⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
"C:\Users\Admin\AppData\Local\Temp\56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe"
2⤵
PID:3576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2372-138-0x0000000000000000-mapping.dmp

Download
memory/2588-140-0x0000000000000000-mapping.dmp

Download
memory/3132-132-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/3132-133-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/3132-134-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download
memory/3132-135-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

Filesize
40KB

Download
memory/3132-136-0x0000000008C50000-0x0000000008CEC000-memory.dmp

Filesize
624KB

Download
memory/3576-139-0x0000000000000000-mapping.dmp

Download
memory/4304-141-0x0000000000000000-mapping.dmp

Download
memory/4892-137-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3132 wrote to memory of 4892	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 4892	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 4892	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 2372	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 2372	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 2372	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 3576	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 3576	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 3576	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 2588	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 2588	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 2588	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 4304	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 4304	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe
PID 3132 wrote to memory of 4304	3132	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe	56f3a8fb86885ebc782e35e871bd938f9d3d6a016e36e8913d665f2c758a85d7.exe

Analysis

Sharing