6920382e522b23c3dd0013936783870ca21397cdf07ad906e9b389706889c926

General

Target

1efaec67d656e7d858cfa7610271504b.exe
Size

304KB
MD5

1efaec67d656e7d858cfa7610271504b
SHA1

8ba2f6d9c5c4168551e2fddc1e6c3e1b1376a120
SHA256

6920382e522b23c3dd0013936783870ca21397cdf07ad906e9b389706889c926
SHA512

673a29809008c8b8b068720636d551dac3b42a46f130200fbe78624a14a6cd1f3b1a807def5178aa67e0fa48886c49ab917cdc21108e680dbed59fe7e767564a
SSDEEP

6144:wXg115KuLDerlMBFBpV/Dxmc7ib2fDaXT2cLpKqXyZWTU:p1+9kZFxm2q2WXqOp9XUW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

1efaec67d656e7d858cfa7610271504b.exe

pid process

1972 1efaec67d656e7d858cfa7610271504b.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1efaec67d656e7d858cfa7610271504b.exe

description pid process target process

PID 2688 set thread context of 1972 2688 1efaec67d656e7d858cfa7610271504b.exe 1efaec67d656e7d858cfa7610271504b.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1efaec67d656e7d858cfa7610271504b.exe

description pid process

Token: SeDebugPrivilege 2688 1efaec67d656e7d858cfa7610271504b.exe

pid	process
1972	1efaec67d656e7d858cfa7610271504b.exe

description	pid	process	target process
PID 2688 set thread context of 1972	2688	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe

description	pid	process
Token: SeDebugPrivilege	2688	1efaec67d656e7d858cfa7610271504b.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1efaec67d656e7d858cfa7610271504b.execsc.exe

description	pid	process	target process
PID 2688 wrote to memory of 3988	2688	1efaec67d656e7d858cfa7610271504b.exe	csc.exe
PID 2688 wrote to memory of 3988	2688	1efaec67d656e7d858cfa7610271504b.exe	csc.exe
PID 2688 wrote to memory of 3988	2688	1efaec67d656e7d858cfa7610271504b.exe	csc.exe
PID 3988 wrote to memory of 4652	3988	csc.exe	cvtres.exe
PID 3988 wrote to memory of 4652	3988	csc.exe	cvtres.exe
PID 3988 wrote to memory of 4652	3988	csc.exe	cvtres.exe
PID 2688 wrote to memory of 1972	2688	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe
PID 2688 wrote to memory of 1972	2688	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe
PID 2688 wrote to memory of 1972	2688	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe
PID 2688 wrote to memory of 1972	2688	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe
PID 2688 wrote to memory of 1972	2688	1efaec67d656e7d858cfa7610271504b.exe	1efaec67d656e7d858cfa7610271504b.exe

C:\Users\Admin\AppData\Local\Temp\1efaec67d656e7d858cfa7610271504b.exe
"C:\Users\Admin\AppData\Local\Temp\1efaec67d656e7d858cfa7610271504b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xipysyvm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F06.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2F05.tmp"
3⤵
PID:4652

C:\Users\Admin\AppData\Roaming\1efaec67d656e7d858cfa7610271504b.exe
C:\Users\Admin\AppData\Roaming\1efaec67d656e7d858cfa7610271504b.exe
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1972 -ip 1972
1⤵
PID:1656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2F06.tmp
Filesize
1KB

MD5
599c6fd884c1e5f05edf53894c07fadb

SHA1
46f4dcdbcc5605a15a6bcf6eadc91249d09afec5

SHA256
608a65f1571b3ef8db02a62e4a8aec0d05f16bc56c0d7c442a11a057fc800164

SHA512
c5c430f970d57450d3a016fbd9a6b9e0eb53feb44a0198545056722321f4c431926f6df6b2f9b183740964a38463f3a189c2ca8ce632593aede99bef821e1138

Download Submit
C:\Users\Admin\AppData\Local\Temp\xipysyvm.dll
Filesize
5KB

MD5
3442f090e0d4cb6075a08344d2688794

SHA1
3e121b3c8eaf1e95f0c6634144941cf3a930587a

SHA256
e1b7e3553580a3aa093c5bf0aeb8f6982e01943b7e8403c6e8f3f6321c3f1633

SHA512
c372ffad339b275b0f64891d8f4e0d298fa63ec8d689a889445f7c44f15e8d9b0881df5985f8bb56ef6e1632d67c48afacb50cf25ffb48384138540e5a52fa16

Download Submit
C:\Users\Admin\AppData\Roaming\1efaec67d656e7d858cfa7610271504b.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2F05.tmp
Filesize
652B

MD5
2745fdb62a61c6343fb1eb02d6759f64

SHA1
c2221e3a9c1b414d30f286d9d7a28609ec9a3eb5

SHA256
2651b69e37e3add617e3caa59b876b8e12db2f7e709e69cbb9a57dcb25fc1e33

SHA512
afd096028a0afe87f9231d5b5691c9182bbbc6ad1e85064c0d2c13c6bb6fc10e74792eca25ed6d699083acb08e998399bb0fbc1eab009a672c78beeda0625291

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xipysyvm.0.cs
Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xipysyvm.cmdline
Filesize
206B

MD5
d1b98d68d97678087d2e28206bf3b5c5

SHA1
f18b27b8d3140dcad12528216ca306df193c905b

SHA256
fe399be5fc993e85feb8eeb69e4eedf3417de98f329874bb7b1d27ce0053e50d

SHA512
40aabe963b639fb2e68ad4181ec9397e8e1577325e1aa475b11e910d76dbaae961b397226979913550dbcfa9aec8c7801a1da30780c9958ff22746f03ab254f4

Download Submit
memory/1972-24-0x0000000000400000-0x0000000000400000-memory.dmp

Download
memory/2688-0-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2688-4-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2688-3-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2688-2-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/2688-1-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/2688-23-0x0000000074AA0000-0x0000000075051000-memory.dmp

Filesize
5.7MB

Download
memory/3988-10-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads