d1d0c276240473567089e1e98423fc04bc9f178fee1e7a81b46eb98bf809994b

General

Target

M6-46 1172024.exe
Size

650KB
MD5

8ce5735da259938567561bba69ef0332
SHA1

029cee5c0f4bd092c0b1388b5832d29a830011e0
SHA256

90a816585502a326fa5cce7d09dda0ff21b3c1a932d48d5096e031eb14124ea7
SHA512

0fa0caddb355d78746807ddaead2d5217aaf233b10e497bddb5a35f083ea541cf5aa674bf904ead07ae3eb2a105a5dd0c68bd726288ee0f0415734151ccb67ec
SSDEEP

12288:ZOAx6X60bYMBlXZvnFoCc54poj432UFHNDeXD+vvuTpmE24m:ZlaLZqQpvxeXD+kpHz

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 880 set thread context of 2608	880	M6-46 1172024.exe	29
PID 2608 set thread context of 1392	2608	M6-46 1172024.exe	7
PID 2608 set thread context of 2636	2608	M6-46 1172024.exe	32
PID 2636 set thread context of 1392	2636	netiougc.exe	7

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
880	M6-46 1172024.exe
880	M6-46 1172024.exe
880	M6-46 1172024.exe
2608	M6-46 1172024.exe
2608	M6-46 1172024.exe
2608	M6-46 1172024.exe
2608	M6-46 1172024.exe
2608	M6-46 1172024.exe
2608	M6-46 1172024.exe
2608	M6-46 1172024.exe
2608	M6-46 1172024.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe
2636	netiougc.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2608	M6-46 1172024.exe
1392	Explorer.EXE
1392	Explorer.EXE
2636	netiougc.exe
2636	netiougc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	M6-46 1172024.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2092	880	M6-46 1172024.exe	28
PID 880 wrote to memory of 2092	880	M6-46 1172024.exe	28
PID 880 wrote to memory of 2092	880	M6-46 1172024.exe	28
PID 880 wrote to memory of 2092	880	M6-46 1172024.exe	28
PID 880 wrote to memory of 3012	880	M6-46 1172024.exe	31
PID 880 wrote to memory of 3012	880	M6-46 1172024.exe	31
PID 880 wrote to memory of 3012	880	M6-46 1172024.exe	31
PID 880 wrote to memory of 3012	880	M6-46 1172024.exe	31
PID 880 wrote to memory of 2856	880	M6-46 1172024.exe	30
PID 880 wrote to memory of 2856	880	M6-46 1172024.exe	30
PID 880 wrote to memory of 2856	880	M6-46 1172024.exe	30
PID 880 wrote to memory of 2856	880	M6-46 1172024.exe	30
PID 880 wrote to memory of 2608	880	M6-46 1172024.exe	29
PID 880 wrote to memory of 2608	880	M6-46 1172024.exe	29
PID 880 wrote to memory of 2608	880	M6-46 1172024.exe	29
PID 880 wrote to memory of 2608	880	M6-46 1172024.exe	29
PID 880 wrote to memory of 2608	880	M6-46 1172024.exe	29
PID 880 wrote to memory of 2608	880	M6-46 1172024.exe	29
PID 880 wrote to memory of 2608	880	M6-46 1172024.exe	29
PID 1392 wrote to memory of 2636	1392	Explorer.EXE	32
PID 1392 wrote to memory of 2636	1392	Explorer.EXE	32
PID 1392 wrote to memory of 2636	1392	Explorer.EXE	32
PID 1392 wrote to memory of 2636	1392	Explorer.EXE	32

C:\Users\Admin\AppData\Local\Temp\M6-46 1172024.exe
"C:\Users\Admin\AppData\Local\Temp\M6-46 1172024.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\M6-46 1172024.exe
  "C:\Users\Admin\AppData\Local\Temp\M6-46 1172024.exe"
  2⤵
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\M6-46 1172024.exe
  "C:\Users\Admin\AppData\Local\Temp\M6-46 1172024.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\M6-46 1172024.exe
  "C:\Users\Admin\AppData\Local\Temp\M6-46 1172024.exe"
  2⤵
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\M6-46 1172024.exe
  "C:\Users\Admin\AppData\Local\Temp\M6-46 1172024.exe"
  2⤵
  PID:3012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\netiougc.exe
  "C:\Windows\SysWOW64\netiougc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/880-14-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/880-0-0x0000000000230000-0x00000000002DA000-memory.dmp

Filesize
680KB

Download
memory/880-2-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/880-3-0x0000000000410000-0x0000000000424000-memory.dmp

Filesize
80KB

Download
memory/880-5-0x0000000001D30000-0x0000000001D3C000-memory.dmp

Filesize
48KB

Download
memory/880-4-0x0000000001CE0000-0x0000000001CE8000-memory.dmp

Filesize
32KB

Download
memory/880-6-0x0000000004C20000-0x0000000004C9C000-memory.dmp

Filesize
496KB

Download
memory/880-1-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/1392-29-0x0000000008D70000-0x000000000AA25000-memory.dmp

Filesize
28.7MB

Download
memory/1392-21-0x0000000008D70000-0x000000000AA25000-memory.dmp

Filesize
28.7MB

Download
memory/1392-19-0x0000000003B30000-0x0000000003C30000-memory.dmp

Filesize
1024KB

Download
memory/2608-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-25-0x0000000000110000-0x000000000012D000-memory.dmp

Filesize
116KB

Download
memory/2608-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-20-0x0000000000110000-0x000000000012D000-memory.dmp

Filesize
116KB

Download
memory/2608-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-13-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-15-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/2608-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2636-23-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2636-27-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2636-26-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/2636-28-0x0000000000600000-0x000000000069C000-memory.dmp

Filesize
624KB

Download
memory/2636-22-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2636-30-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2636-31-0x0000000000600000-0x000000000069C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing