8f20519e5ed3f79fa4979492bec6b3610ddd9ebd7ea13b54ba0001f48919743d

General

Target

3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
Size

1.1MB
MD5

8771e4a71d08e5d647aca2d9a4e78640
SHA1

2149e01eed4f4d77cfac17c2921de59b1590ddde
SHA256

3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644
SHA512

3b581ec531d386e5b9c1e35b26d50b7a4016128593cd8ba8c8fdc08ef0ffd255f0c6164e6c03e39a98695ee9861fe7d68db4664c659f2e330a49b14fd10d9c81
SSDEEP

12288:JlMOEAlI3MzSSV93jHFoMqP8zBnx1FQEGFm4l2WViumw1uFR7r/mYQf3mV7eK8qy:JCYdSSXFtdx12PF9ltViIuFZmbPcuq

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe

pid	process
1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe

description pid process

Token: SeDebugPrivilege 1528 3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe

description	pid	process
Token: SeDebugPrivilege	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe

C:\Users\Admin\AppData\Local\Temp\3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
"C:\Users\Admin\AppData\Local\Temp\3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\Temp\3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
"C:\Users\Admin\AppData\Local\Temp\3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe"
2⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
"C:\Users\Admin\AppData\Local\Temp\3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe"
2⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
"C:\Users\Admin\AppData\Local\Temp\3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe"
2⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
"C:\Users\Admin\AppData\Local\Temp\3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe"
2⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
"C:\Users\Admin\AppData\Local\Temp\3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe"
2⤵
PID:1420

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1528-54-0x0000000000350000-0x0000000000478000-memory.dmp

Filesize
1.2MB

Download
memory/1528-55-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/1528-56-0x0000000004620000-0x0000000004660000-memory.dmp

Filesize
256KB

Download
memory/1528-57-0x0000000004620000-0x0000000004660000-memory.dmp

Filesize
256KB

Download
memory/1528-58-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/1528-59-0x00000000050F0000-0x0000000005190000-memory.dmp

Filesize
640KB

Download
memory/1528-60-0x0000000001FE0000-0x0000000001FE6000-memory.dmp

Filesize
24KB

Download
memory/1528-61-0x00000000022E0000-0x0000000002314000-memory.dmp

Filesize
208KB

Download

description	pid	process	target process
PID 1528 wrote to memory of 1496	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1496	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1496	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1496	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1304	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1304	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1304	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1304	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1424	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1424	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1424	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1424	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1604	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1604	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1604	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1604	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1420	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1420	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1420	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe
PID 1528 wrote to memory of 1420	1528	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe	3d0f9f89293300e70a0a0c37c5aab81be9ed97a7ec4a2f5a73e54767d4aed644.exe

Analysis

Sharing