a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336

General

Target

a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe
Size

397KB
MD5

6f593dbea0a8703af52bd66f582251a4
SHA1

2201a210e9680ec079b08bdb1da6d23112d87dcc
SHA256

a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336
SHA512

97ebc0b7f27a76efead93fce05a8d059b4c6629e6348d5d4b728ed910ab00848b44737c6b5a48ac070d62a1da9273fc72b809fcf36bd17afb573fccc33d5aa73
SSDEEP

6144:rqJycjfxGqz7J1Bn+F7potY9kxqqJrNzS:rq8cj5fR+MO9kPJrhS

Score

6^/10

evasion

Malware Config

Signatures

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2060	a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe
2060	a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 4184	2060	a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe	107
PID 2060 wrote to memory of 4184	2060	a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe	107
PID 4184 wrote to memory of 3924	4184	csc.exe	112
PID 4184 wrote to memory of 3924	4184	csc.exe	112
PID 2060 wrote to memory of 3192	2060	a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe	114
PID 2060 wrote to memory of 3192	2060	a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe	114

C:\Users\Admin\AppData\Local\Temp\a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe
"C:\Users\Admin\AppData\Local\Temp\a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ynkspmmx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FF9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3FE9.tmp"
    3⤵
    PID:3924
- C:\Windows\system32\chcp.com
  "C:\Windows\system32\chcp.com" 437
  2⤵
  PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4580 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3FF9.tmp

Filesize
1KB

MD5
7141e68c01fd09a2c1acbf17694150c7

SHA1
e0ca48e3144c6a27fd62b0c4fb1052b8c38dbb4b

SHA256
7aae2bc82c31f90fcdde9a12570f094cd960c2f5af2138962f19056e8ade93dd

SHA512
87ba14ad5f7c327326bdaea4040dca1dc25d0082a09778b4eb6049332f899069737b96b63adec277cf06c834444c043a7858829e6b97a1feed037252e51d2e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynkspmmx.dll

Filesize
3KB

MD5
6ebfa20fc7296462826a03e2c8ed16f5

SHA1
498699904d2d5a1f795e6764b76d1744fc64ad74

SHA256
7c7b339bf38055689447eb53f5869ed6275b3f6eddfcda1ad7ee77505ba94e01

SHA512
7c0685fd94f9d3279aa1e7a13b8e40f9b001d2ab7196b86dd174d62a958dd95d7676a51f8959ad995874fb8ce21a6c79307c959907c1196079ad151fc1143601

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynkspmmx.pdb

Filesize
11KB

MD5
4ee9554eb4f4f5590c647608bac5a02b

SHA1
3c01888b1fc000c82dcefab89c4f00c3c5bcbd58

SHA256
eb4c7e0a352b4ab2ea71fd7cd8432bc119b0516774d0c4acd40045f3019000d1

SHA512
d09338cfb9eff5526f16257a7dd88d7e9ca7e5fa314edde61674e13fe2936cc075f356f7079c4e6a3b2de822bbfe5a4caa654e4b608bb8014b39c07609e8bec4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3FE9.tmp

Filesize
652B

MD5
02226086871794a6dca9105c41c0ca24

SHA1
4990769884c119b7daffde2630b40ea9fba6b30e

SHA256
e255a9feca5ff3efb8fa7fb111138c859bfff2e6a40e825e8ca41d845bab5ebe

SHA512
0fb19273dce6c9cdeb8d260778ff47a7f1cdbbc9fe8a0ad0193e8c221fe94d94c78aa2d4c847dd3beb7d26b3ea2646fc8daa3c752bd68ef5958eb01161a193c0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ynkspmmx.0.cs

Filesize
447B

MD5
1640a04633fee0dfdc7e22c4f4063bf6

SHA1
3cb525c47b5dd37f8ee45b034c9452265fba5476

SHA256
55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

SHA512
85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ynkspmmx.cmdline

Filesize
309B

MD5
384fb02a2782b98d4326178c34a8b8fc

SHA1
215017ccffb809fc6ff4602e94ecf2e5b60c1e7c

SHA256
fe19e9b8bd0b49e154a8ea767bd6c2be8e1d0b8d68918293a2c08be6ff493e94

SHA512
a35f42b3b8a5acac06a4caaf3620cf643ce08c13383237cc7dcfc1373f7233ca3c221ee97712750e2db55a72610903a9e93afde1e135fe995ddcfa645358d5b4

Download Submit
memory/2060-0-0x00007FFDB9920000-0x00007FFDBA2C1000-memory.dmp

Filesize
9.6MB

Download
memory/2060-5-0x000000001BD10000-0x000000001BDAC000-memory.dmp

Filesize
624KB

Download
memory/2060-4-0x00007FFDB9920000-0x00007FFDBA2C1000-memory.dmp

Filesize
9.6MB

Download
memory/2060-3-0x000000001B7A0000-0x000000001BC6E000-memory.dmp

Filesize
4.8MB

Download
memory/2060-2-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/2060-20-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/2060-1-0x00007FFDB9920000-0x00007FFDBA2C1000-memory.dmp

Filesize
9.6MB

Download
memory/4184-11-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing