857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703

General

Target

857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.exe
Size

1.9MB
MD5

bf78f30a0bdf5105c35ac9ec00cae143
SHA1

7a037da4371d0efaa428ef533fef330a9c4005ed
SHA256

857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703
SHA512

6c047aae5b5e435f10b371f6a294631ab03d1c7e08b37aa8769ca68eccf89415d5579cb67a20d7a57646d4ea80285af31f2f006cb246b552c367707daf4e90ab
SSDEEP

24576:Amfiul/z3Jc10qkVEmUBtE7nTvdrX10Hkm2hT3qgCfxoSo+XA+1836z5HhY4g8Zt:tiCrJIy7L4HYVqgC71/i0inVmx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2804	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp
2016	Dism++x64.exe
1328	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
1208	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.exe
2804	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp
1328	Process not Found

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2804	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp
2804	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2016	Dism++x64.exe
Token: SeRestorePrivilege	2016	Dism++x64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2804	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2804	1208	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.exe	28
PID 1208 wrote to memory of 2804	1208	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.exe	28
PID 1208 wrote to memory of 2804	1208	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.exe	28
PID 1208 wrote to memory of 2804	1208	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.exe	28
PID 1208 wrote to memory of 2804	1208	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.exe	28
PID 1208 wrote to memory of 2804	1208	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.exe	28
PID 1208 wrote to memory of 2804	1208	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.exe	28
PID 2804 wrote to memory of 2016	2804	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp	29
PID 2804 wrote to memory of 2016	2804	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp	29
PID 2804 wrote to memory of 2016	2804	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp	29
PID 2804 wrote to memory of 2016	2804	857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp	29

C:\Users\Admin\AppData\Local\Temp\857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.exe
"C:\Users\Admin\AppData\Local\Temp\857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\is-K6MLS.tmp\857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-K6MLS.tmp\857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp" /SL5="$9001C,1155299,770048,C:\Users\Admin\AppData\Local\Temp\857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\is-9LMRE.tmp\Dism++x64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-9LMRE.tmp\Dism++x64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9LMRE.tmp\Dism++x64.exe

Filesize
1.0MB

MD5
a1a058ff98dc1f9320195b398aa06167

SHA1
d974136e6dc4b1726b50a770ec8d6f0f4fc859a7

SHA256
16bbdb339173d25b4332b377da96e80809aabfe6739cf35d5e70484f08cfdc42

SHA512
8517354f8579905a5ff1b581aee79ac4632d83bf1672490b653caf5807e902745ae1df109083ea895ac63f0a106786390d5e769a220dc21af8f8a7a9585dddc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K6MLS.tmp\857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp

Filesize
3.0MB

MD5
e0a66a599ec388ef18ae834dc8cec0c2

SHA1
b467b2ff6cd1523545b0f10e7f9c2fca74b60713

SHA256
d30c623503f0021e78322d8d663456400d4cc836e51044ba72eab2fa24f4d2f9

SHA512
d6fc7f8fb2d12f73360cba5fe8566b73e12366bb9bc1172ec65ed6926d92b7f8481d66adfc449cfb08ff66c9298f00ee77156feac0e8c27785e2ced6bbc1d34a

Download Submit
\Users\Admin\AppData\Local\Temp\is-9LMRE.tmp\Dism++x64.exe

Filesize
1.0MB

MD5
a1a058ff98dc1f9320195b398aa06167

SHA1
d974136e6dc4b1726b50a770ec8d6f0f4fc859a7

SHA256
16bbdb339173d25b4332b377da96e80809aabfe6739cf35d5e70484f08cfdc42

SHA512
8517354f8579905a5ff1b581aee79ac4632d83bf1672490b653caf5807e902745ae1df109083ea895ac63f0a106786390d5e769a220dc21af8f8a7a9585dddc8

Download Submit
\Users\Admin\AppData\Local\Temp\is-9LMRE.tmp\Dism++x64.exe

Filesize
1.0MB

MD5
a1a058ff98dc1f9320195b398aa06167

SHA1
d974136e6dc4b1726b50a770ec8d6f0f4fc859a7

SHA256
16bbdb339173d25b4332b377da96e80809aabfe6739cf35d5e70484f08cfdc42

SHA512
8517354f8579905a5ff1b581aee79ac4632d83bf1672490b653caf5807e902745ae1df109083ea895ac63f0a106786390d5e769a220dc21af8f8a7a9585dddc8

Download Submit
\Users\Admin\AppData\Local\Temp\is-9LMRE.tmp\Dism++x64.exe

Filesize
1.0MB

MD5
a1a058ff98dc1f9320195b398aa06167

SHA1
d974136e6dc4b1726b50a770ec8d6f0f4fc859a7

SHA256
16bbdb339173d25b4332b377da96e80809aabfe6739cf35d5e70484f08cfdc42

SHA512
8517354f8579905a5ff1b581aee79ac4632d83bf1672490b653caf5807e902745ae1df109083ea895ac63f0a106786390d5e769a220dc21af8f8a7a9585dddc8

Download Submit
\Users\Admin\AppData\Local\Temp\is-K6MLS.tmp\857a919bc372565770b37c9d2c0e63c09d26c5ab62b50fceedbf7fc6a531f703.tmp

Filesize
3.0MB

MD5
e0a66a599ec388ef18ae834dc8cec0c2

SHA1
b467b2ff6cd1523545b0f10e7f9c2fca74b60713

SHA256
d30c623503f0021e78322d8d663456400d4cc836e51044ba72eab2fa24f4d2f9

SHA512
d6fc7f8fb2d12f73360cba5fe8566b73e12366bb9bc1172ec65ed6926d92b7f8481d66adfc449cfb08ff66c9298f00ee77156feac0e8c27785e2ced6bbc1d34a

Download Submit
memory/1208-53-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1208-73-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2804-60-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2804-71-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing