45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503

General

Target

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
Size

2.6MB
MD5

38439fdf4744c8a97c0dafce36e4f432
SHA1

e6f56833ecfb2b47f4e39a290bad959776fea2f1
SHA256

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
SHA512

69feeaeb83ee5b6773e2919716d9ab2f4acee2f6115ef1731557258f42a5b529760402a091c64be1707a13c4b4cfb09e79ddb0eff24cd3e77fa1e4b355cda407
SSDEEP

49152:01+6+AFUaW+Vvdj8Lf8JtKHibnPIb2qohbLLkYPTRAEOOaS4d5eTovYuLL:XANzVvdw4Jr76oNLpPNAEkeTYpLL

Score

9^/10

Malware Config

Signatures

Detects executables manipulated with Fody 1 IoCs

resource	yara_rule
behavioral1/memory/1988-0-0x0000000000230000-0x00000000004D4000-memory.dmp	INDICATOR_EXE_Packed_Fody

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2708	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	29
PID 1988 wrote to memory of 2708	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	29
PID 1988 wrote to memory of 2708	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	29
PID 2708 wrote to memory of 2380	2708	csc.exe	35
PID 2708 wrote to memory of 2380	2708	csc.exe	35
PID 2708 wrote to memory of 2380	2708	csc.exe	35
PID 1988 wrote to memory of 2528	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	30
PID 1988 wrote to memory of 2528	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	30
PID 1988 wrote to memory of 2528	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	30
PID 1988 wrote to memory of 2528	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	30
PID 1988 wrote to memory of 2784	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	34
PID 1988 wrote to memory of 2784	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	34
PID 1988 wrote to memory of 2784	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	34
PID 1988 wrote to memory of 2784	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	34
PID 1988 wrote to memory of 2540	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	33
PID 1988 wrote to memory of 2540	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	33
PID 1988 wrote to memory of 2540	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	33
PID 1988 wrote to memory of 2540	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	33
PID 1988 wrote to memory of 2564	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	32
PID 1988 wrote to memory of 2564	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	32
PID 1988 wrote to memory of 2564	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	32
PID 1988 wrote to memory of 2564	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	32
PID 1988 wrote to memory of 2640	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	31
PID 1988 wrote to memory of 2640	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	31
PID 1988 wrote to memory of 2640	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	31
PID 1988 wrote to memory of 2640	1988	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	31

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qs0sgkyw\qs0sgkyw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES114F.tmp" "c:\Users\Admin\AppData\Local\Temp\qs0sgkyw\CSC2EA220FDF0349C4B4C25DD8F512359F.TMP"
    3⤵
    PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES114F.tmp

Filesize
1KB

MD5
e073a3ece428d13f8ddcf1bf7842e834

SHA1
0faa3146613f9924529b74d98a6a1ddb0b099072

SHA256
f4699d4d914c241f654ffd09f81fd030b478bbc12dcaee11c1f38384da65d60d

SHA512
f98e022a612a3dda10d2a50135c0e6b9544582c3a4e1396531077875279acd78ae719d2ddf5ffc7291a2af068710e22c10527a804573031e8a48d0a6245d0b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs0sgkyw\qs0sgkyw.dll

Filesize
9KB

MD5
53fe0ebd010ea373a63067de722db479

SHA1
9f79697dfe09daa92038f873021223ab640d0ddc

SHA256
56e5d003da15fe8d65238ef28f956c7bc1f5980b279d0294a68cca646aff1143

SHA512
883e1cbd32517e4b8ab7226d096ff1b73e1680ff054a75a94c0c081774d81603f7cfcf65a6c950dc827a75c742814f0520ab88dbbfcc8d1cfbd1b1d899f9d6e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qs0sgkyw\CSC2EA220FDF0349C4B4C25DD8F512359F.TMP

Filesize
652B

MD5
2905665fa164e1d1488f16e494d3c254

SHA1
2706b4fad01b29f48ffdeca1ab1d59cc5d1a381b

SHA256
f7a3118ecf831b89b3dd8e044f306ec4e1a670fb85c9f5bcbfe48c97fdbfb7df

SHA512
9e3d18d59724353f957b96039d43ad1df16cde6e26430758c8772f5c75e025fe96f84326b51e3f451e7d4780aa04976592e4694c6a61c2f840317bf7f49757d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qs0sgkyw\qs0sgkyw.0.cs

Filesize
10KB

MD5
42cdf76cfeebaa4420881fdb1f349522

SHA1
ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d

SHA256
463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970

SHA512
ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qs0sgkyw\qs0sgkyw.cmdline

Filesize
204B

MD5
2c3914adac1c5566b743bb2ffd0c1b40

SHA1
1d650d9bbc02ca35bdf6c3f73ef838a5e9ed6068

SHA256
daaa5e386223fa852d339eee8b8b9ff696bdd44a53aca78f31dd9c3c3d99a516

SHA512
8d2a732305fc695732dfb37f5492b4e5de8d39325f5aab77a34902eeb43902a67a6529bb2b10f07d5f9f580b3e7a589b53f7148bd5ac048f014e746516dd3f50

Download Submit
memory/1988-0-0x0000000000230000-0x00000000004D4000-memory.dmp

Filesize
2.6MB

Download
memory/1988-1-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-3-0x000000001A990000-0x000000001A9EE000-memory.dmp

Filesize
376KB

Download
memory/1988-2-0x0000000002390000-0x0000000002410000-memory.dmp

Filesize
512KB

Download
memory/1988-4-0x000000001B010000-0x000000001B094000-memory.dmp

Filesize
528KB

Download
memory/1988-17-0x0000000002120000-0x0000000002128000-memory.dmp

Filesize
32KB

Download
memory/1988-19-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing