6920382e522b23c3dd0013936783870ca21397cdf07ad906e9b389706889c926

General

Target

1efaec67d656e7d858cfa7610271504b.exe
Size

304KB
MD5

1efaec67d656e7d858cfa7610271504b
SHA1

8ba2f6d9c5c4168551e2fddc1e6c3e1b1376a120
SHA256

6920382e522b23c3dd0013936783870ca21397cdf07ad906e9b389706889c926
SHA512

673a29809008c8b8b068720636d551dac3b42a46f130200fbe78624a14a6cd1f3b1a807def5178aa67e0fa48886c49ab917cdc21108e680dbed59fe7e767564a
SSDEEP

6144:wXg115KuLDerlMBFBpV/Dxmc7ib2fDaXT2cLpKqXyZWTU:p1+9kZFxm2q2WXqOp9XUW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

1efaec67d656e7d858cfa7610271504b.exe

pid process

2844 1efaec67d656e7d858cfa7610271504b.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1efaec67d656e7d858cfa7610271504b.exe

description pid process target process

PID 3448 set thread context of 2844 3448 1efaec67d656e7d858cfa7610271504b.exe 1efaec67d656e7d858cfa7610271504b.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2420 2844 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1efaec67d656e7d858cfa7610271504b.exe

description pid process

Token: SeDebugPrivilege 3448 1efaec67d656e7d858cfa7610271504b.exe

pid	process
2844	1efaec67d656e7d858cfa7610271504b.exe

description	pid	process	target process
PID 3448 set thread context of 2844	3448	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe

pid	pid_target	process
2420	2844	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	3448	1efaec67d656e7d858cfa7610271504b.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1efaec67d656e7d858cfa7610271504b.execsc.exe

description	pid	process	target process
PID 3448 wrote to memory of 2228	3448	1efaec67d656e7d858cfa7610271504b.exe	csc.exe
PID 3448 wrote to memory of 2228	3448	1efaec67d656e7d858cfa7610271504b.exe	csc.exe
PID 3448 wrote to memory of 2228	3448	1efaec67d656e7d858cfa7610271504b.exe	csc.exe
PID 2228 wrote to memory of 3728	2228	csc.exe	cvtres.exe
PID 2228 wrote to memory of 3728	2228	csc.exe	cvtres.exe
PID 2228 wrote to memory of 3728	2228	csc.exe	cvtres.exe
PID 3448 wrote to memory of 2844	3448	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe
PID 3448 wrote to memory of 2844	3448	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe
PID 3448 wrote to memory of 2844	3448	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe
PID 3448 wrote to memory of 2844	3448	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe
PID 3448 wrote to memory of 2844	3448	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe

C:\Users\Admin\AppData\Local\Temp\1efaec67d656e7d858cfa7610271504b.exe
"C:\Users\Admin\AppData\Local\Temp\1efaec67d656e7d858cfa7610271504b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gvyaefxb.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43EF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC43EE.tmp"
3⤵
PID:3728

C:\Users\Admin\AppData\Roaming\1efaec67d656e7d858cfa7610271504b.exe
C:\Users\Admin\AppData\Roaming\1efaec67d656e7d858cfa7610271504b.exe
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 12
1⤵
- Program crash
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2844 -ip 2844
1⤵
PID:412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES43EF.tmp
Filesize
1KB

MD5
dbcabbef1c511efc472e6ec7eef939c9

SHA1
2c0007517a16fa5212e1c5b02cdd682b95000929

SHA256
2e1719142beb7ae02d3ae6a5e4a3b514d635a9ecb03802730348f01343baaea2

SHA512
d3db272fb6f4b66a5ce34988b9469c9ac6aa214b7a548c5bb4dc1be47c2fea9108947c71d15f1275929970f24c47a062317e4ea3cb10d326066f03ad47ac24d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvyaefxb.dll
Filesize
5KB

MD5
54ccc5d6cc270a96e6d8a6df5c7522fb

SHA1
224e8fd14c391a92614f6fc706104f195aa070fe

SHA256
30a4786058259ea1ee44c74c1eb037f1f030f38293142b5b78974386d011dfa0

SHA512
a950acccb44d55fc96e641b75685a46518383383b16a6e27b9c45fc54234436e207bdcc3c6df87f3f0ab64b670ef876c55b175814f92a9fdec099a84d368298f

Download Submit
C:\Users\Admin\AppData\Roaming\1efaec67d656e7d858cfa7610271504b.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC43EE.tmp
Filesize
652B

MD5
135a7c0b1165faed7eb682da26383b04

SHA1
d016dfd11dd880f59b423634366171538876af62

SHA256
1f7fd8f581ae17ad21d51b1acfbfd54059adf9382b7dd447acbaf82fbda3da24

SHA512
2915b38693107397e203255f7ce0f4adb65c9fab917fe18f3990e9cf4ff05b844acd4c2df7f505943ed6087bb7500f14d40a36f145783abe2c6312da953843e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gvyaefxb.0.cs
Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gvyaefxb.cmdline
Filesize
206B

MD5
33fa198dc3006697033b35d4dd095e16

SHA1
44bb0d60632df74a6e91153c64ee5d54256f3b8e

SHA256
376ef057510fb82772258bd126fd5bb0eff7c0845f61e916932067186ca3ca81

SHA512
ba0a4c0dd6f1f782c519e429ac3a7566a70121cc350a550af7feb78024498b291e68d8d4b35a75d01f509d4b7e12019bdc74e41dd6c28cb6a0f9d8373e2ae99d

Download Submit
memory/2228-8-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/2844-22-0x0000000000400000-0x0000000000400000-memory.dmp

Download
memory/3448-2-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/3448-1-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/3448-0-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/3448-21-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads