d5b0e90d780322b1e334e551394e4efeaa9782d5d840bfbba0d76df3a45f74fe

General

Target

f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
Size

1.0MB
MD5

6ffcaa9d57ed36d74cac808ffc5fc9b6
SHA1

89c88ac7b1420300e2f63b5a7f863c7f672ba959
SHA256

f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa
SHA512

49f0afba5127f6caef4a78c3c1450c362543fa88b6eb9921d3621760912914b21aa19e55c3e780c13b21693e645bd151eeb83d58e03746f26434decf8d434676
SSDEEP

24576:y/OFMbQyXyXhZVTR0z71BM2TRkB6huiR3BSpNoVf0LTsIBMNjnNNOhAe/S0:dHyXyXQHFTRkB6hulb80

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe

pid	process
1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe

description	pid	process
Token: SeBackupPrivilege	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
Token: SeSecurityPrivilege	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
Token: SeSecurityPrivilege	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
Token: SeBackupPrivilege	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
Token: SeSecurityPrivilege	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
Token: SeDebugPrivilege	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe

C:\Users\Admin\AppData\Local\Temp\f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
"C:\Users\Admin\AppData\Local\Temp\f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
"{path}"
2⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
"{path}"
2⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
"{path}"
2⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
"{path}"
2⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
"{path}"
2⤵
PID:1376

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-54-0x00000000003F0000-0x00000000004FA000-memory.dmp

Filesize
1.0MB

Download
memory/1208-55-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/1208-56-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/1208-57-0x00000000050B0000-0x0000000005180000-memory.dmp

Filesize
832KB

Download
memory/1208-58-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/1208-59-0x0000000006130000-0x00000000061EE000-memory.dmp

Filesize
760KB

Download
memory/1208-60-0x0000000004B10000-0x0000000004B8A000-memory.dmp

Filesize
488KB

Download

description	pid	process	target process
PID 1208 wrote to memory of 472	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 472	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 472	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 472	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 580	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 580	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 580	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 580	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 376	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 376	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 376	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 376	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 1880	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 1880	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 1880	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 1880	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 1376	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 1376	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 1376	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe
PID 1208 wrote to memory of 1376	1208	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe	f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads