45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503

General

Target

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
Size

2.6MB
MD5

38439fdf4744c8a97c0dafce36e4f432
SHA1

e6f56833ecfb2b47f4e39a290bad959776fea2f1
SHA256

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
SHA512

69feeaeb83ee5b6773e2919716d9ab2f4acee2f6115ef1731557258f42a5b529760402a091c64be1707a13c4b4cfb09e79ddb0eff24cd3e77fa1e4b355cda407
SSDEEP

49152:01+6+AFUaW+Vvdj8Lf8JtKHibnPIb2qohbLLkYPTRAEOOaS4d5eTovYuLL:XANzVvdw4Jr76oNLpPNAEkeTYpLL

Score

9^/10

Malware Config

Signatures

Detects executables manipulated with Fody 1 IoCs

resource	yara_rule
behavioral1/memory/1044-0-0x0000000001200000-0x00000000014A4000-memory.dmp	INDICATOR_EXE_Packed_Fody

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2384	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	29
PID 1044 wrote to memory of 2384	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	29
PID 1044 wrote to memory of 2384	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	29
PID 2384 wrote to memory of 860	2384	csc.exe	35
PID 2384 wrote to memory of 860	2384	csc.exe	35
PID 2384 wrote to memory of 860	2384	csc.exe	35
PID 1044 wrote to memory of 884	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	30
PID 1044 wrote to memory of 884	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	30
PID 1044 wrote to memory of 884	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	30
PID 1044 wrote to memory of 884	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	30
PID 1044 wrote to memory of 2748	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	34
PID 1044 wrote to memory of 2748	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	34
PID 1044 wrote to memory of 2748	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	34
PID 1044 wrote to memory of 2748	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	34
PID 1044 wrote to memory of 2600	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	33
PID 1044 wrote to memory of 2600	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	33
PID 1044 wrote to memory of 2600	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	33
PID 1044 wrote to memory of 2600	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	33
PID 1044 wrote to memory of 2588	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	32
PID 1044 wrote to memory of 2588	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	32
PID 1044 wrote to memory of 2588	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	32
PID 1044 wrote to memory of 2588	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	32
PID 1044 wrote to memory of 2664	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	31
PID 1044 wrote to memory of 2664	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	31
PID 1044 wrote to memory of 2664	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	31
PID 1044 wrote to memory of 2664	1044	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	31

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\45jc4ho0\45jc4ho0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDF.tmp" "c:\Users\Admin\AppData\Local\Temp\45jc4ho0\CSCF1BAE5DCD9D948288074563AD2B02E23.TMP"
    3⤵
    PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\45jc4ho0\45jc4ho0.dll

Filesize
9KB

MD5
5a39ee40ab4d83c772b34ef3e879dc7b

SHA1
65bcd0c0e551bcf8b8d87ec0b52d9f097448e80b

SHA256
293cc8291ca4282fc0908cef380f0fd4f70cb418619fdde3e7104f16bc6edf3b

SHA512
dfb17e77163072703c495f680c12c40e0d8a6c846ff17f3cb3c2c274ab1948d1156f227175dc349a66c4af8079a462e8e07112d64c41db4bf266d7623ee802a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEDF.tmp

Filesize
1KB

MD5
203f78655fb3567ff2a9a55f23330eed

SHA1
a54c6ff632596bc03851ced271b73eaf2afe9f44

SHA256
56e9cc425a2571428b294724102126730aa06526b72dd6986f3845ae1384a8da

SHA512
1705eee9c5b2097ca8a294a8110841ab42b70712dbfb803153b1609f679c799582d6c9ee1557d3f002259fda4b7487467cfedf68746ff9c623566d68eef4f198

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\45jc4ho0\45jc4ho0.0.cs

Filesize
10KB

MD5
42cdf76cfeebaa4420881fdb1f349522

SHA1
ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d

SHA256
463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970

SHA512
ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\45jc4ho0\45jc4ho0.cmdline

Filesize
204B

MD5
7606fd69f0266faa9daafdd66b57a95d

SHA1
ed5f8e98b12b93b5d5ae2de1b692c9718caeda2d

SHA256
e2f90a9b9a62fb813971b13c1365e785cde47f1ebceeb88a47aeb7c5a43660fa

SHA512
d73f7b014c7d85db5963764ed0c8d41a9d7e53d350ac550fd83eb5729485a2cded23ae8742489f9d0c966847025f2f9dd2725e878633eaeeeb3fed5e6bc51e74

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\45jc4ho0\CSCF1BAE5DCD9D948288074563AD2B02E23.TMP

Filesize
652B

MD5
f900d2685734fee93dd6fee759cf322c

SHA1
d5f4eaf8828a7cde2cd174e2e6dfd6acdf53ac0d

SHA256
f494056101838845c48b0d7f1f66fe354f6f4a4f10f296d7ea9e34b33e5728e2

SHA512
8e6252f6146482e2ed44b1c4b0ded0e6d13c109b4e2f80567cb0959dab31cfefbf14f2ca04c16fe84e4ee1adcdf1d6fbf6845814e40f9686dc75672cf979c5b2

Download Submit
memory/1044-0-0x0000000001200000-0x00000000014A4000-memory.dmp

Filesize
2.6MB

Download
memory/1044-1-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

Filesize
9.9MB

Download
memory/1044-3-0x0000000000AE0000-0x0000000000B3E000-memory.dmp

Filesize
376KB

Download
memory/1044-2-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/1044-4-0x0000000000C30000-0x0000000000CB4000-memory.dmp

Filesize
528KB

Download
memory/1044-19-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

Filesize
9.9MB

Download
memory/1044-17-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing