62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64

General

Target

62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe
Size

5.3MB
MD5

a738343a752f47cdb5aa6f3d7a70f0ce
SHA1

1b9a7b0d75dddb27c930630848e016f1f405aca8
SHA256

62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64
SHA512

f53585351204e39507a79bac23cd364d614743b5f16483998ed7c4f8dfaa2f628fdfc99e51f6666a39f5e38f9203a77ad6bc5231b03ea89a3ab36745f4385dc4
SSDEEP

98304:8eaLq2gXJAT86nXlXxHhNZEYoPHGlBBYYYR9MU6JADxuJfUm5iaI4I:8ebNJAT8UXlVhNiYofG7rYnEuDctUN

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe

pid	process
2520	62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe
2520	62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2672 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exepowershell.exe

description pid process

Token: 35 2520 62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe
Token: SeDebugPrivilege 2672 powershell.exe

pid	process
2672	powershell.exe

description	pid	process
Token: 35	2520	62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe
Token: SeDebugPrivilege	2672	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.execmd.exe

description	pid	process	target process
PID 1640 wrote to memory of 2520	1640	62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe	62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe
PID 1640 wrote to memory of 2520	1640	62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe	62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe
PID 1640 wrote to memory of 2520	1640	62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe	62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe
PID 2520 wrote to memory of 1220	2520	62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe	cmd.exe
PID 2520 wrote to memory of 1220	2520	62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe	cmd.exe
PID 2520 wrote to memory of 1220	2520	62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe	cmd.exe
PID 1220 wrote to memory of 2672	1220	cmd.exe	powershell.exe
PID 1220 wrote to memory of 2672	1220	cmd.exe	powershell.exe
PID 1220 wrote to memory of 2672	1220	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe
"C:\Users\Admin\AppData\Local\Temp\62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe
"C:\Users\Admin\AppData\Local\Temp\62c41a9ab5747f5a9d7d3947c3704f1b3e27a47693a088843e54ddd54c12ac64.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -ExecutionPolicy Unrestricted -File C:\ProgramData/script2.ps1"
3⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Unrestricted -File C:\ProgramData/script2.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\script2.ps1
Filesize
721B

MD5
b23d0f8780680910c158262a7545be4b

SHA1
34bdd31fe0a63b930bc44a88f4a5f283175c8ea6

SHA256
3a20a3cac48a53888253aff623d12ac9dce01a8792a8d5f95255dc881a6db90f

SHA512
9ec058ef22dff6e01a1dc930c5b29c64ca972fdc184345c245d8a10a61e68e5e5232f6724fedd96d507e4336fa12ab4757b245973576c093cdff5850cab9fcff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16402\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16402\base_library.zip
Filesize
759KB

MD5
79e88f2168b50571ecdf412c2d9a444a

SHA1
fda77e1b67812ebd48d5a77c31a58758a27dd80f

SHA256
65d1384c1fd5cc09d7d6ee7da7dbb65258dc4101c7aac20bced7ec50394f43fe

SHA512
55f0d9bef706c2c4ee4260f6444aebc2c9af46304b7bd4ed6d8c90589d9e6925c0f5b9a875997564bd21d905a0945e16879ed8af0f0d6abb799b4d932167cd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16402\python37.dll
Filesize
3.6MB

MD5
5d8c22938d89077f64537a9d09cf6fd5

SHA1
15971f1b4bc2420eafbd40b0cd3fc4d2af204ec4

SHA256
8eb835d88e72e998b82916fb20a252af615d6e641827e013411239d115d5dd69

SHA512
dbd1febd18e29eab046b98f6b970e35e040adddead81561c0d165a1353a124d1dc26f3b3f5aa9ef0cb8e813baa8fc706514c0350c6428f25c5e5c050773b7d31

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16402\python37.dll
Filesize
512KB

MD5
fabc5fef6a72d9a153cdf06c545066a1

SHA1
07d985dbbe587f1d1aa2e1a68e26fc5a047dca1b

SHA256
04920400016f321d6b2ec65ba92706251942e27136ee973df9e992dd20ac23f6

SHA512
068282d65727537b0972f025432ea5ad0a5e3fe41040bf8ec09c102122268437bd81181083129222106e159e35a02b3ddce5220a23bc3847d8873f16bacd1c93

Download Submit
memory/2672-38-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-37-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/2672-39-0x00000000023E0000-0x0000000002460000-memory.dmp

Filesize
512KB

Download
memory/2672-40-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-41-0x00000000023E0000-0x0000000002460000-memory.dmp

Filesize
512KB

Download
memory/2672-42-0x00000000023E0000-0x0000000002460000-memory.dmp

Filesize
512KB

Download
memory/2672-43-0x00000000023E0000-0x0000000002460000-memory.dmp

Filesize
512KB

Download
memory/2672-36-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2672-45-0x00000000023E0000-0x0000000002460000-memory.dmp

Filesize
512KB

Download
memory/2672-46-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing