a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef

General

Target

a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe
Size

1.2MB
MD5

cb04e4165970dbd63faf5741f0029684
SHA1

078fd9a302c529336f8abea032eb3b5c4f911242
SHA256

a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef
SHA512

65c0b0fdb31067cb1501f49f5da7d66a71bdbb0936c857347ab826e2692035435ccd2cac33998b18b5931e0dcd937e8c2a80bb61b24d816c39e75b2354f8c9bd
SSDEEP

24576:YAHnh+eWsN3skA4RV1Hom2KXMmHaQ7gmDCeBxWTdlRIz5:fh+ZkldoPK8YaIgmHLWTvK

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

Processes:

a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exesvchost.exewhoami.exe

description	pid	process	target process
PID 1648 set thread context of 2216	1648	a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe	svchost.exe
PID 2216 set thread context of 1204	2216	svchost.exe	Explorer.EXE
PID 2216 set thread context of 2820	2216	svchost.exe	whoami.exe
PID 2820 set thread context of 1204	2820	whoami.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

svchost.exewhoami.exe

pid	process
2216	svchost.exe
2216	svchost.exe
2216	svchost.exe
2216	svchost.exe
2216	svchost.exe
2216	svchost.exe
2216	svchost.exe
2216	svchost.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe
2820	whoami.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exesvchost.exeExplorer.EXEwhoami.exe

pid	process
1648	a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe
2216	svchost.exe
1204	Explorer.EXE
1204	Explorer.EXE
2820	whoami.exe
2820	whoami.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exeExplorer.EXE

pid	process
1648	a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe
1648	a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe

pid	process
1648	a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe
1648	a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exeExplorer.EXE

description	pid	process	target process
PID 1648 wrote to memory of 2216	1648	a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe	svchost.exe
PID 1648 wrote to memory of 2216	1648	a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe	svchost.exe
PID 1648 wrote to memory of 2216	1648	a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe	svchost.exe
PID 1648 wrote to memory of 2216	1648	a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe	svchost.exe
PID 1648 wrote to memory of 2216	1648	a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe	svchost.exe
PID 1204 wrote to memory of 2820	1204	Explorer.EXE	whoami.exe
PID 1204 wrote to memory of 2820	1204	Explorer.EXE	whoami.exe
PID 1204 wrote to memory of 2820	1204	Explorer.EXE	whoami.exe
PID 1204 wrote to memory of 2820	1204	Explorer.EXE	whoami.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe
"C:\Users\Admin\AppData\Local\Temp\a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a505c17117d77b38d502a1386392c94ed32d559819a5106de1bda80516d976ef.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2216

C:\Windows\SysWOW64\whoami.exe
"C:\Windows\SysWOW64\whoami.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2820

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\maneuverability
Filesize
268KB

MD5
b108d89a92c27349d5f10c5c85371940

SHA1
8ebdbe3f9b47aca1df1dac9b45038740bacdd4e8

SHA256
c155ed4f0f7ad8eb0ededb57b0c88113ba5bb11d22274d46d8cc16db136a6be0

SHA512
95b1164c67d38f7e645fd2e39fcf948967ee3d2f2a9f2fd384eb86a3079d05a079c001b44c6c8198217e780e67779e7d1314ac1ff07f910163ee993b1c750bb2

Download Submit
memory/1204-29-0x00000000090C0000-0x000000000A03C000-memory.dmp

Filesize
15.5MB

Download
memory/1204-20-0x00000000090C0000-0x000000000A03C000-memory.dmp

Filesize
15.5MB

Download
memory/1204-18-0x0000000003B70000-0x0000000003C70000-memory.dmp

Filesize
1024KB

Download
memory/1648-11-0x00000000001A0000-0x00000000001A4000-memory.dmp

Filesize
16KB

Download
memory/2216-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-24-0x00000000001E0000-0x0000000000202000-memory.dmp

Filesize
136KB

Download
memory/2216-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-19-0x00000000001E0000-0x0000000000202000-memory.dmp

Filesize
136KB

Download
memory/2216-14-0x0000000000790000-0x0000000000A93000-memory.dmp

Filesize
3.0MB

Download
memory/2216-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-22-0x00000000000D0000-0x0000000000110000-memory.dmp

Filesize
256KB

Download
memory/2820-25-0x0000000001FA0000-0x00000000022A3000-memory.dmp

Filesize
3.0MB

Download
memory/2820-26-0x00000000000D0000-0x0000000000110000-memory.dmp

Filesize
256KB

Download
memory/2820-28-0x0000000001BE0000-0x0000000001C81000-memory.dmp

Filesize
644KB

Download
memory/2820-21-0x00000000000D0000-0x0000000000110000-memory.dmp

Filesize
256KB

Download
memory/2820-30-0x00000000000D0000-0x0000000000110000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads