363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943

General

Target

363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe
Size

1.0MB
MD5

fbedfb3f7b3972064e89527e731dc60a
SHA1

6f6a87a2308d265418ca853e745c1fa3d7e2dbfb
SHA256

363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943
SHA512

6b06c16cc73f9f008105d12036525a51e7c779bdf52656fd319c13b0518dc345c2760a2ebf221ed6a5f61c3b201a155fa03326ec3c6c27dbf8cb191d300ddf70
SSDEEP

24576:OATWl5H0A6qxOKVU3yV2MUdLKZIif+yGtHKqL7oEkGQ6S2:hsyv0R5VFo+ZR8lKgVQ6/

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe

description pid process

Token: SeDebugPrivilege 2212 363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe

description	pid	process
Token: SeDebugPrivilege	2212	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.execsc.exe

description	pid	process	target process
PID 2212 wrote to memory of 1696	2212	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	csc.exe
PID 2212 wrote to memory of 1696	2212	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	csc.exe
PID 2212 wrote to memory of 1696	2212	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	csc.exe
PID 1696 wrote to memory of 3028	1696	csc.exe	cvtres.exe
PID 1696 wrote to memory of 3028	1696	csc.exe	cvtres.exe
PID 1696 wrote to memory of 3028	1696	csc.exe	cvtres.exe
PID 2212 wrote to memory of 2532	2212	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	WerFault.exe
PID 2212 wrote to memory of 2532	2212	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	WerFault.exe
PID 2212 wrote to memory of 2532	2212	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe
"C:\Users\Admin\AppData\Local\Temp\363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3hqls0e\q3hqls0e.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D22.tmp" "c:\Users\Admin\AppData\Local\Temp\q3hqls0e\CSCAB3E844B71664913AF325D7B79F2FED5.TMP"
3⤵
PID:3028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2212 -s 596
2⤵
PID:2532

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1D22.tmp
Filesize
1KB

MD5
5b8aed36809ba38048542f75c13bad6b

SHA1
06f506891f6513bf7a9bc931601f4e7778d51e1b

SHA256
ad585ba48c93ad14334b158b4119ffc9524f01f64fc314594bb3584f2183ea90

SHA512
b6d0af970d8002bda5517d833ec01a40eb5beb96f125d0df693dc8a09173759351c4668c2188e8f1f12c81549ff91affbe346cb3c32010110e2668a604e5b046

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3hqls0e\q3hqls0e.dll
Filesize
6KB

MD5
1626522b24ff2fa90daed2b363ad77f7

SHA1
0f00a255db364cbf4b9a91e7f3bdbdf06d4e6e05

SHA256
7366c7d3602bf103bb112c01d9cd4ff9eb57c35bdd6d1dfa26592b3f63874bea

SHA512
dfdafa27c176981fe4538ee658e1d30dfb7ccf7276e3a31be1c19324b7a13d24dd6784d563ef45bea58505f173c940218a0f8755cdb0170aadb4789985a29154

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3hqls0e\CSCAB3E844B71664913AF325D7B79F2FED5.TMP
Filesize
652B

MD5
9b997d1146d227892b4597e31bcf0f96

SHA1
92b74ebbbc7d0897013862cc40b01e4de67bb926

SHA256
516385a5587df05670c1141175ee7da139cb095dd346187fab6a706053d3edcd

SHA512
0916219455619f8e00fd6ee8006656f8ae70747a4d20b5e9c89418d9d8809216de90e7cfac56f40ce2517cd3b107c4047fea3fd50aec44d432d3bce9bcfa2548

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3hqls0e\q3hqls0e.0.cs
Filesize
4KB

MD5
d784666bd143ad91647f8e799749e071

SHA1
706389c04825f2e12a24d00f67ea7140cdccf4ef

SHA256
3bd5920de953fb49e0aec7994f20bcd50d304acf5a3f4f3b23d7408a6cb41ac6

SHA512
c5a4c8817e19df8ad88aae8b9caa243235b23c31bf493704cddcb46e88df203b5fc5b03b535b06bade9816782828b7ba8c5fe247384c344677e570a15bcd07ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3hqls0e\q3hqls0e.cmdline
Filesize
366B

MD5
5f805541bdbc72cfdbfcd154cbe16990

SHA1
b9fe9d5b0376093e70bc9bde9628751d451fb547

SHA256
666c3a59096dc4e1b9062ba8f6825f56f9c05246bfb20ae633ce41e826bcaa0c

SHA512
0102e544f1c9801d1ff1afbbae29031d7820c176f9ec1501f2b56906a7189ae068cc9ec6de301a33516b7264367982bd00a413c46a724566b12eaa26ae4e0da4

Download Submit
memory/2212-0-0x0000000000D20000-0x0000000000D9E000-memory.dmp

Filesize
504KB

Download
memory/2212-1-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-2-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2212-15-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2212-17-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-18-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads