f5078cf0b6c1c40c51987ab9de59c3b128f639b54ad2f40251d1f3096bf809f0

General

Target

f5078cf0b6c1c40c51987ab9de59c3b128f639b54ad2f40251d1f3096bf809f0.exe
Size

14KB
MD5

155547ac9f5b12577c3f224928ba3db7
SHA1

929c6df8df5f04c1591f8128e00a717c55353fdd
SHA256

f5078cf0b6c1c40c51987ab9de59c3b128f639b54ad2f40251d1f3096bf809f0
SHA512

04a2a34e1ce01c474e73bfa5de01889ff16c665b9f2ae1d2a667c74ac23b53350f90a817bdf554283bb1f37af5fbbf6887372f8138658f041a100c09a62d4a76
SSDEEP

192:vZcpE/exr76ZLvdKHfgtxpyuTWuWMkrdE7dOS2WvB6Wv:vZzercTmeyeg99ZWZ6Wv

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2420	dw20.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2248	mmc.exe
Token: 33	2248	mmc.exe
Token: SeIncBasePriorityPrivilege	2248	mmc.exe
Token: 33	2248	mmc.exe
Token: SeIncBasePriorityPrivilege	2248	mmc.exe
Token: 33	2248	mmc.exe
Token: SeIncBasePriorityPrivilege	2248	mmc.exe
Token: 33	2248	mmc.exe
Token: SeIncBasePriorityPrivilege	2248	mmc.exe
Token: 33	2248	mmc.exe
Token: SeIncBasePriorityPrivilege	2248	mmc.exe
Token: 33	2248	mmc.exe
Token: SeIncBasePriorityPrivilege	2248	mmc.exe
Token: 33	2248	mmc.exe
Token: SeIncBasePriorityPrivilege	2248	mmc.exe
Token: 33	2248	mmc.exe
Token: SeIncBasePriorityPrivilege	2248	mmc.exe
Token: 33	2248	mmc.exe
Token: SeIncBasePriorityPrivilege	2248	mmc.exe
Token: 33	2248	mmc.exe
Token: SeIncBasePriorityPrivilege	2248	mmc.exe
Token: 33	2248	mmc.exe
Token: SeIncBasePriorityPrivilege	2248	mmc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2484	mmc.exe
2248	mmc.exe
2248	mmc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2484	2164	f5078cf0b6c1c40c51987ab9de59c3b128f639b54ad2f40251d1f3096bf809f0.exe	28
PID 2164 wrote to memory of 2484	2164	f5078cf0b6c1c40c51987ab9de59c3b128f639b54ad2f40251d1f3096bf809f0.exe	28
PID 2164 wrote to memory of 2484	2164	f5078cf0b6c1c40c51987ab9de59c3b128f639b54ad2f40251d1f3096bf809f0.exe	28
PID 2164 wrote to memory of 2484	2164	f5078cf0b6c1c40c51987ab9de59c3b128f639b54ad2f40251d1f3096bf809f0.exe	28
PID 2484 wrote to memory of 2248	2484	mmc.exe	29
PID 2484 wrote to memory of 2248	2484	mmc.exe	29
PID 2484 wrote to memory of 2248	2484	mmc.exe	29
PID 2484 wrote to memory of 2248	2484	mmc.exe	29
PID 2248 wrote to memory of 2420	2248	mmc.exe	30
PID 2248 wrote to memory of 2420	2248	mmc.exe	30
PID 2248 wrote to memory of 2420	2248	mmc.exe	30

C:\Users\Admin\AppData\Local\Temp\f5078cf0b6c1c40c51987ab9de59c3b128f639b54ad2f40251d1f3096bf809f0.exe
"C:\Users\Admin\AppData\Local\Temp\f5078cf0b6c1c40c51987ab9de59c3b128f639b54ad2f40251d1f3096bf809f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\mmc.exe
  mmc.exe /s C:\Windows\system32\eventvwr.msc
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\eventvwr.msc" /s C:\Windows\system32\eventvwr.msc
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 1312
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      PID:2420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2164-0-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/2248-13-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2248-7-0x000000001D160000-0x000000001D4A6000-memory.dmp

Filesize
3.3MB

Download
memory/2248-3-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-4-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2248-5-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-6-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2248-1-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2248-8-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2248-9-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2248-10-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2248-2-0x0000000002800000-0x000000000281E000-memory.dmp

Filesize
120KB

Download
memory/2248-11-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2248-17-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2248-12-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp

Filesize
64KB

Download
memory/2248-15-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2248-24-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2248-14-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2248-18-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-19-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-20-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2248-21-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2248-22-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp

Filesize
64KB

Download
memory/2248-23-0x0000000004690000-0x0000000004710000-memory.dmp

Filesize
512KB

Download
memory/2420-16-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing