6920382e522b23c3dd0013936783870ca21397cdf07ad906e9b389706889c926

General

Target

1efaec67d656e7d858cfa7610271504b.exe
Size

304KB
MD5

1efaec67d656e7d858cfa7610271504b
SHA1

8ba2f6d9c5c4168551e2fddc1e6c3e1b1376a120
SHA256

6920382e522b23c3dd0013936783870ca21397cdf07ad906e9b389706889c926
SHA512

673a29809008c8b8b068720636d551dac3b42a46f130200fbe78624a14a6cd1f3b1a807def5178aa67e0fa48886c49ab917cdc21108e680dbed59fe7e767564a
SSDEEP

6144:wXg115KuLDerlMBFBpV/Dxmc7ib2fDaXT2cLpKqXyZWTU:p1+9kZFxm2q2WXqOp9XUW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

1efaec67d656e7d858cfa7610271504b.exe

pid process

3040 1efaec67d656e7d858cfa7610271504b.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1efaec67d656e7d858cfa7610271504b.exe

description pid process target process

PID 4936 set thread context of 3040 4936 1efaec67d656e7d858cfa7610271504b.exe 1efaec67d656e7d858cfa7610271504b.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

804 3040 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1efaec67d656e7d858cfa7610271504b.exe

description pid process

Token: SeDebugPrivilege 4936 1efaec67d656e7d858cfa7610271504b.exe

pid	process
3040	1efaec67d656e7d858cfa7610271504b.exe

description	pid	process	target process
PID 4936 set thread context of 3040	4936	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe

pid	pid_target	process
804	3040	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	4936	1efaec67d656e7d858cfa7610271504b.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1efaec67d656e7d858cfa7610271504b.execsc.exe

description	pid	process	target process
PID 4936 wrote to memory of 4816	4936	1efaec67d656e7d858cfa7610271504b.exe	csc.exe
PID 4936 wrote to memory of 4816	4936	1efaec67d656e7d858cfa7610271504b.exe	csc.exe
PID 4936 wrote to memory of 4816	4936	1efaec67d656e7d858cfa7610271504b.exe	csc.exe
PID 4816 wrote to memory of 1100	4816	csc.exe	cvtres.exe
PID 4816 wrote to memory of 1100	4816	csc.exe	cvtres.exe
PID 4816 wrote to memory of 1100	4816	csc.exe	cvtres.exe
PID 4936 wrote to memory of 3040	4936	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe
PID 4936 wrote to memory of 3040	4936	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe
PID 4936 wrote to memory of 3040	4936	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe
PID 4936 wrote to memory of 3040	4936	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe
PID 4936 wrote to memory of 3040	4936	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe

C:\Users\Admin\AppData\Local\Temp\1efaec67d656e7d858cfa7610271504b.exe
"C:\Users\Admin\AppData\Local\Temp\1efaec67d656e7d858cfa7610271504b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o36a3jfv.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71A7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC71A6.tmp"
3⤵
PID:1100

C:\Users\Admin\AppData\Roaming\1efaec67d656e7d858cfa7610271504b.exe
C:\Users\Admin\AppData\Roaming\1efaec67d656e7d858cfa7610271504b.exe
2⤵
- Executes dropped EXE
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3040 -ip 3040
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 12
1⤵
- Program crash
PID:804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES71A7.tmp
Filesize
1KB

MD5
e75c2440341fde8add4ded45698209e5

SHA1
612dae47ba3ef9ba45ed549dfe3fc6d811c89f73

SHA256
8959c1b9e4c5d1aa721f11d151f51bcce98b49792b3b03cb5c1f4fab59305f41

SHA512
00441245f40ea3fdb0a77898fa8ab13866451c405fd8369d752f85cc35481d132f93c3cd1637dfaf8d953d2890b96bfa2268763ec853294ca8727acedcf86588

Download Submit
C:\Users\Admin\AppData\Local\Temp\o36a3jfv.dll
Filesize
5KB

MD5
1932c1765d2e3c8f78e92f398fc65479

SHA1
726628b9aa99af6cdc4f4cb89b7f2d12236b4428

SHA256
549db69fbd81c2483466a78f098918d4ae1b50812632ec6c96fea87434a06f94

SHA512
42caeff64684ead9549f1cf83ae62a0a2e752dc924f6afa1e087beec312ca34138e56b08c8d3939e7a08a6b3ac598e790d12a5a3d7a183ae0f657b3dd244dcd2

Download Submit
C:\Users\Admin\AppData\Roaming\1efaec67d656e7d858cfa7610271504b.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC71A6.tmp
Filesize
652B

MD5
9d4d9315de0389ba7e8d7e823751e684

SHA1
82c04193ac243f3277e97dad77092fed6b293404

SHA256
0c27ae787f0cee107e1813881e883e7247d8a57bf9d53e7fdc44a0c6b5ef5175

SHA512
9f40956164fcc3ddae330b9fa9591f78b92b17e2500afd42423113beef8a5fa62b131fe3387fe63d20555c61145b96ea5c06f41d107a7da6f6d51cddb476750c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o36a3jfv.0.cs
Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o36a3jfv.cmdline
Filesize
206B

MD5
1280463fbea6e36ee0f167c018a03f9b

SHA1
c4d7d359dce92204c57fab580cd2502507b0e778

SHA256
cc9b67f8dae785de50be75b7d1a168ff7ff0f13ac79d0c4f0ae58ac5da80be58

SHA512
bb502c76727022b3a2b8ee9833aaa82624a450885f6e602cfb7ef1a486acac61304cf819c58fee0706476f6662d5fee18adabbfcae3922058bc5603f13281419

Download Submit
memory/3040-22-0x0000000000400000-0x0000000000400000-memory.dmp

Download
memory/4816-8-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/4936-0-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4936-2-0x0000000001630000-0x0000000001640000-memory.dmp

Filesize
64KB

Download
memory/4936-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4936-21-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads