13d4451ced7b76053557f42153abc61411dbc70280d7559b9f0a2f03df270cf9

General

Target

c89c68d1b70707efe6568511fa2d0550.exe
Size

44KB
MD5

c89c68d1b70707efe6568511fa2d0550
SHA1

6aed1106faf6a5b99732dd29e9ca89d002eaa27a
SHA256

13d4451ced7b76053557f42153abc61411dbc70280d7559b9f0a2f03df270cf9
SHA512

5fa1539298f0b8cd52e83d6f847957119db8485cc6ee6ab5201a966995156cd8be6ba4ad2bc1f1679c85c7aefa107abf407b79e460c92c2d87d87583abf9d6fa
SSDEEP

768:135ahc1rUBLX894vXasNa+WJgluAyFNwkiQlKXuCRD1FFdXPF9gdi:135a2iBLX89MXKOlxmNPJr+DF9gi

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1216	powershell.exe
2064	powershell.exe
1624	powershell.exe
2360	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3044	2388	c89c68d1b70707efe6568511fa2d0550.exe	28
PID 2388 wrote to memory of 3044	2388	c89c68d1b70707efe6568511fa2d0550.exe	28
PID 2388 wrote to memory of 3044	2388	c89c68d1b70707efe6568511fa2d0550.exe	28
PID 3044 wrote to memory of 1216	3044	cmd.exe	30
PID 3044 wrote to memory of 1216	3044	cmd.exe	30
PID 3044 wrote to memory of 1216	3044	cmd.exe	30
PID 3044 wrote to memory of 2064	3044	cmd.exe	31
PID 3044 wrote to memory of 2064	3044	cmd.exe	31
PID 3044 wrote to memory of 2064	3044	cmd.exe	31
PID 3044 wrote to memory of 1624	3044	cmd.exe	32
PID 3044 wrote to memory of 1624	3044	cmd.exe	32
PID 3044 wrote to memory of 1624	3044	cmd.exe	32
PID 3044 wrote to memory of 2360	3044	cmd.exe	33
PID 3044 wrote to memory of 2360	3044	cmd.exe	33
PID 3044 wrote to memory of 2360	3044	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\c89c68d1b70707efe6568511fa2d0550.exe
"C:\Users\Admin\AppData\Local\Temp\c89c68d1b70707efe6568511fa2d0550.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\29KSONBVPG9ZL1KZKKX6.temp

Filesize
7KB

MD5
e31d4fd2744259ee5aa9b73154782822

SHA1
24e60d3d1c18bd8840e284ed37a88986bbf5fbee

SHA256
c896a60cb164a30f66e2007938d189e10b9576db252b1c176f4d90cb44e0e45a

SHA512
f6c9d64fc069f551c96afee3d02efffd4cfc2389bfe6529b65de268f336352c58d3daa27f6df93d3beb582f4d1d330d420a4ab9769f474852c4eef785a49531c

Download Submit
memory/1216-14-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/1216-15-0x000007FEF2E20000-0x000007FEF37BD000-memory.dmp

Filesize
9.6MB

Download
memory/1216-7-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1216-8-0x0000000002A20000-0x0000000002A28000-memory.dmp

Filesize
32KB

Download
memory/1216-10-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/1216-9-0x000007FEF2E20000-0x000007FEF37BD000-memory.dmp

Filesize
9.6MB

Download
memory/1216-12-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/1216-11-0x000007FEF2E20000-0x000007FEF37BD000-memory.dmp

Filesize
9.6MB

Download
memory/1216-13-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/1624-35-0x000007FEF2E20000-0x000007FEF37BD000-memory.dmp

Filesize
9.6MB

Download
memory/1624-36-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/1624-41-0x000007FEF2E20000-0x000007FEF37BD000-memory.dmp

Filesize
9.6MB

Download
memory/1624-38-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/1624-40-0x0000000002D4B000-0x0000000002DB2000-memory.dmp

Filesize
412KB

Download
memory/1624-39-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/1624-37-0x000007FEF2E20000-0x000007FEF37BD000-memory.dmp

Filesize
9.6MB

Download
memory/2064-25-0x000007FEEFCD0000-0x000007FEF066D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-21-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2064-27-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2064-28-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/2064-29-0x000007FEEFCD0000-0x000007FEF066D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-26-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2064-23-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2064-24-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2064-22-0x000007FEEFCD0000-0x000007FEF066D000-memory.dmp

Filesize
9.6MB

Download
memory/2360-48-0x000007FEEFCD0000-0x000007FEF066D000-memory.dmp

Filesize
9.6MB

Download
memory/2360-50-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/2360-49-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2360-52-0x000007FEEFCD0000-0x000007FEF066D000-memory.dmp

Filesize
9.6MB

Download
memory/2360-51-0x00000000028FB000-0x0000000002962000-memory.dmp

Filesize
412KB

Download
memory/2360-53-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2388-0-0x000000013F0B0000-0x000000013F0C0000-memory.dmp

Filesize
64KB

Download
memory/2388-1-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2388-47-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2388-2-0x000000001BC80000-0x000000001BD00000-memory.dmp

Filesize
512KB

Download
memory/2388-54-0x000000001BC80000-0x000000001BD00000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads