03d2b50298ee6f13c36970c728f8c34d49c473feea6057c18c87d4c3e9e929f9

General

Target

550d8e39c54aba188b731f6d6c066848.exe
Size

397KB
MD5

550d8e39c54aba188b731f6d6c066848
SHA1

8c935b028deed1d29529998a6a28b7025c9d0ab0
SHA256

03d2b50298ee6f13c36970c728f8c34d49c473feea6057c18c87d4c3e9e929f9
SHA512

bdb182ff4ba57dbc57bc9a1cb353ec303236981716ee088aa18b05d21f0897ec426e7b74da1ab4fa5a22867de85094a0ea1e7b10a83b1f4475550560f17da3a6
SSDEEP

12288:/4W8MA3eR1vWv7XLhOUL3Qwz9v/M2YMdmr:/bAODev7XdHL3QwBv/M2H

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2852	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Tmpsys.dll	550d8e39c54aba188b731f6d6c066848.exe
File opened for modification	C:\Windows\SysWOW64\Tmpsys.dll	550d8e39c54aba188b731f6d6c066848.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\259406387.dll	550d8e39c54aba188b731f6d6c066848.exe
File created	C:\Windows\259406558.bat	550d8e39c54aba188b731f6d6c066848.exe
File created	C:\Windows\259406699.bat	550d8e39c54aba188b731f6d6c066848.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2880	550d8e39c54aba188b731f6d6c066848.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	550d8e39c54aba188b731f6d6c066848.exe
Token: SeDebugPrivilege	2880	550d8e39c54aba188b731f6d6c066848.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 424	2880	550d8e39c54aba188b731f6d6c066848.exe	3
PID 2880 wrote to memory of 2860	2880	550d8e39c54aba188b731f6d6c066848.exe	28
PID 2880 wrote to memory of 2860	2880	550d8e39c54aba188b731f6d6c066848.exe	28
PID 2880 wrote to memory of 2860	2880	550d8e39c54aba188b731f6d6c066848.exe	28
PID 2880 wrote to memory of 2860	2880	550d8e39c54aba188b731f6d6c066848.exe	28
PID 2880 wrote to memory of 2852	2880	550d8e39c54aba188b731f6d6c066848.exe	30
PID 2880 wrote to memory of 2852	2880	550d8e39c54aba188b731f6d6c066848.exe	30
PID 2880 wrote to memory of 2852	2880	550d8e39c54aba188b731f6d6c066848.exe	30
PID 2880 wrote to memory of 2852	2880	550d8e39c54aba188b731f6d6c066848.exe	30

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Users\Admin\AppData\Local\Temp\550d8e39c54aba188b731f6d6c066848.exe
"C:\Users\Admin\AppData\Local\Temp\550d8e39c54aba188b731f6d6c066848.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\259406558.bat
  2⤵
  PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\259406699.bat
  2⤵
  - Deletes itself
  PID:2852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\259406558.bat

Filesize
99B

MD5
c45fc911f96245d7c78e5b4057dd9352

SHA1
6093cdd9b7207c897d73aa9fbd20ced4dc211cc5

SHA256
2b360b7b0b81d52d467207f04fbc26be53b045dabbfabdb383f414d4b3e6132b

SHA512
8e0a1eb30b2c143fb117e8a509d431f0f09d5c16a46a1a6e10a688b4c557019af5ad06107eab6151c8cc47779374fbb7dc45bc53b08d8989e5e4026962e62fe1

Download Submit
C:\Windows\259406699.bat

Filesize
191B

MD5
17e1737a83b74e528790e54eca4963d2

SHA1
339b3a47c88001fcafa5ac6a4c41f67ac8d72c2c

SHA256
147822825df5a91390bf6b75e09f38c12faf2d120485a70cadc9681162dc5662

SHA512
66200951a3c02595d7039dc17e251906a88bab13a236644ad3c8f1965b6fdfef68abeb20ad08947834c20502c2db0fccad3923ee344bebc05d179ea49c789643

Download Submit
C:\Windows\SysWOW64\Tmpsys.dll

Filesize
142KB

MD5
b1f1316d95422973e798def49be75d3b

SHA1
9ed5900fe85a13e2e5c9cf8c415e70466fe60fe8

SHA256
a0de4b3a0e7e5b902666180a5e9742da6619b81bc8957f74619aae28ffeb6b2e

SHA512
2d1a7e7f8792359d01b3cb02e99104b9c2e57d3125b0c329705be24dac1287ece1d9538bf56de23bed694c39a1dc70adcd583e3b78771e2516b3e4d7e6693171

Download Submit
memory/424-22-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/2880-13-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2880-15-0x00000000031B0000-0x00000000031D9000-memory.dmp

Filesize
164KB

Download
memory/2880-0-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/2880-12-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2880-11-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2880-10-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2880-9-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2880-8-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2880-6-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2880-14-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2880-16-0x00000000031B0000-0x00000000031D9000-memory.dmp

Filesize
164KB

Download
memory/2880-17-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/2880-5-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2880-19-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/2880-3-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2880-4-0x00000000031B0000-0x00000000031D9000-memory.dmp

Filesize
164KB

Download
memory/2880-39-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2880-1-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2880-40-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/2880-41-0x00000000031B0000-0x00000000031D9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing