5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80

General

Target

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe
Size

876KB
MD5

beb116406043adf5d6fe5c688eae6d15
SHA1

f61c10b86ddad9dfde65ec4a923fedb253d52021
SHA256

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80
SHA512

0005dc3a469a0d88208b9846611a13cefa7e996ffb7a12cd29f847b8c882eaf31a687e2e138e43379fbbb3a5dfe5174c4bbf58a17893ed116142ac1f48f40d25
SSDEEP

24576:jw4bjw4bBQ1mvhl5zJWunpgghRD7X84HYFZ7s:jw4bjw4bBQ+FWWpgUVHSBs

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

Processes:

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exeRegSvcs.exeiexpress.exe

description	pid	process	target process
PID 2356 set thread context of 2588	2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 2588 set thread context of 1144	2588	RegSvcs.exe	Explorer.EXE
PID 2588 set thread context of 2420	2588	RegSvcs.exe	iexpress.exe
PID 2420 set thread context of 1144	2420	iexpress.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exeRegSvcs.exeiexpress.exe

pid	process
2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe
2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe
2588	RegSvcs.exe
2588	RegSvcs.exe
2588	RegSvcs.exe
2588	RegSvcs.exe
2588	RegSvcs.exe
2588	RegSvcs.exe
2588	RegSvcs.exe
2588	RegSvcs.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe
2420	iexpress.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeExplorer.EXEiexpress.exe

pid process

2588 RegSvcs.exe
1144 Explorer.EXE
1144 Explorer.EXE
2420 iexpress.exe
2420 iexpress.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe

description pid process

Token: SeDebugPrivilege 2356 5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe

pid	process
2588	RegSvcs.exe
1144	Explorer.EXE
1144	Explorer.EXE
2420	iexpress.exe
2420	iexpress.exe

description	pid	process
Token: SeDebugPrivilege	2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exeExplorer.EXE

description	pid	process	target process
PID 2356 wrote to memory of 2588	2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 2356 wrote to memory of 2588	2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 2356 wrote to memory of 2588	2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 2356 wrote to memory of 2588	2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 2356 wrote to memory of 2588	2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 2356 wrote to memory of 2588	2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 2356 wrote to memory of 2588	2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 2356 wrote to memory of 2588	2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 2356 wrote to memory of 2588	2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 2356 wrote to memory of 2588	2356	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 1144 wrote to memory of 2420	1144	Explorer.EXE	iexpress.exe
PID 1144 wrote to memory of 2420	1144	Explorer.EXE	iexpress.exe
PID 1144 wrote to memory of 2420	1144	Explorer.EXE	iexpress.exe
PID 1144 wrote to memory of 2420	1144	Explorer.EXE	iexpress.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe
"C:\Users\Admin\AppData\Local\Temp\5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2588

C:\Windows\SysWOW64\iexpress.exe
"C:\Windows\SysWOW64\iexpress.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-19-0x0000000003AE0000-0x0000000003BE0000-memory.dmp

Filesize
1024KB

Download
memory/1144-20-0x0000000009160000-0x000000000954D000-memory.dmp

Filesize
3.9MB

Download
memory/1144-28-0x0000000009160000-0x000000000954D000-memory.dmp

Filesize
3.9MB

Download
memory/2356-4-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/2356-3-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/2356-5-0x0000000005770000-0x00000000057FA000-memory.dmp

Filesize
552KB

Download
memory/2356-0-0x000000007499E000-0x000000007499F000-memory.dmp

Filesize
4KB

Download
memory/2356-2-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2356-13-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2356-1-0x0000000000DA0000-0x0000000000E7E000-memory.dmp

Filesize
888KB

Download
memory/2420-29-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download
memory/2420-27-0x0000000000F60000-0x0000000000FFE000-memory.dmp

Filesize
632KB

Download
memory/2420-26-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download
memory/2420-25-0x0000000000BB0000-0x0000000000EB3000-memory.dmp

Filesize
3.0MB

Download
memory/2420-22-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download
memory/2420-21-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download
memory/2588-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-18-0x00000000002C0000-0x00000000002DF000-memory.dmp

Filesize
124KB

Download
memory/2588-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-24-0x00000000002C0000-0x00000000002DF000-memory.dmp

Filesize
124KB

Download
memory/2588-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-14-0x0000000000B90000-0x0000000000E93000-memory.dmp

Filesize
3.0MB

Download
memory/2588-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2588-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads