d484f0c77d2b8f4b37781b075d763d7fdd72d98cabbd654e3731c41eb335d270

General

Target

d484f0c77d2b8f4b37781b075d763d7fdd72d98cabbd654e3731c41eb335d270.exe
Size

705KB
MD5

e0de11e16d2fc5685ec2bbfdb93c3dbf
SHA1

3afb423147b6bb9e3043c92fa7bfd3e31af1947c
SHA256

d484f0c77d2b8f4b37781b075d763d7fdd72d98cabbd654e3731c41eb335d270
SHA512

27c6f526e22ae49b0c8cbd6eb55b5d52e9ff41e98bc3b98fa3d22ce2b2bdd93c12ecddf8a57a9f16cf55ad5716bdd44462d6d7e61eeabe54fcf3536c9ff35abd
SSDEEP

12288:EW9B+VKYlhw0tgZNPNUl5KRgT3h2VR/9fyBoYJ6YNuwnReNEHFvlJsAStmhskK:EW9BsntGDjVNpyeYJ6YUwnRfWgK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
464	Process not Found
2576	alg.exe
1728	aspnet_state.exe
1684	mscorsvw.exe
3064	mscorsvw.exe

Loads dropped DLL 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	d484f0c77d2b8f4b37781b075d763d7fdd72d98cabbd654e3731c41eb335d270.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c0a266ef9b392089.bin	alg.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	d484f0c77d2b8f4b37781b075d763d7fdd72d98cabbd654e3731c41eb335d270.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	d484f0c77d2b8f4b37781b075d763d7fdd72d98cabbd654e3731c41eb335d270.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	d484f0c77d2b8f4b37781b075d763d7fdd72d98cabbd654e3731c41eb335d270.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	d484f0c77d2b8f4b37781b075d763d7fdd72d98cabbd654e3731c41eb335d270.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2788	d484f0c77d2b8f4b37781b075d763d7fdd72d98cabbd654e3731c41eb335d270.exe

C:\Users\Admin\AppData\Local\Temp\d484f0c77d2b8f4b37781b075d763d7fdd72d98cabbd654e3731c41eb335d270.exe
"C:\Users\Admin\AppData\Local\Temp\d484f0c77d2b8f4b37781b075d763d7fdd72d98cabbd654e3731c41eb335d270.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1684

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
21769e9c18ed005ec6ba44b513a0e621

SHA1
068fd45b17c83dff308a08f7c4291c1e82091de1

SHA256
a54dba49d2fef8b979e234e3ae51999393085df3c818109608883fe43c93c9b4

SHA512
9c70f9ed8c7968bfe9f49d23b816ec33d9fee287c4d66e7f38d54403e9dddae7b813af30f32d075fe2f3c7ea1438dead81cf90887498ad83e41134e7ef5b33dd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
7438f8fbe7da655f3c53ebedf489996e

SHA1
ef55f9571edab47adacdc6a4b6e9a475a73cca4d

SHA256
9233e7e993e163c2ba0b485eae49994e1b30f6fa3749649c0604148fe72b2b58

SHA512
e6638a819334831cceaa4192734e55f84bc0f19a6db1b9bc4dce2b347f1bfe590103339dd978109e5f46251d383981b2a4cade779c5afdd09296e9fca6ff8e38

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
4180ed5857adbf9619a6ab65091ef69a

SHA1
9a0158983299d6724bceed2813f5818b1bee36ed

SHA256
54b606860c44809ce349d09d1868957f145ea10fc767e7daa3e8b28acb2de6f9

SHA512
69f716216d8d174dbc832378f332d29fdc9863c68887659be1b54b0064fcc2bfe21c8053f3eae5d752fa2c8db45513ce4d91245ea702b6a073b8f6c0b2d492ce

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
a1025eafcba5cedb00ebf8ecb680a2fc

SHA1
116351561ab51fc209914d630d32c7d0db8cbb0c

SHA256
db77c57d34dbb16af89d60d56b3dae8281304b7636e67f73d252573374d4a4fc

SHA512
1118acfb2e143dccd7a8af25d456761088253649883651a423014c175e1d3d6532f00826d9c5f2fbc32fb7ba1ca2152ecf8fe8be4463826a3f386268b2460986

Download Submit
memory/1684-52-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1684-46-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1684-40-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1684-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1728-33-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1728-37-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1728-26-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1728-27-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2576-12-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2576-34-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2576-19-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2576-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2788-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2788-23-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2788-6-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2788-7-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2788-1-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/3064-55-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3064-56-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/3064-63-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/3064-73-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download

Analysis

Sharing