b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d

General

Target

b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe
Size

5.0MB
MD5

9a70be83ae4ac6486cc6153e626a6a88
SHA1

c53a284096c93f5c56998c83dfbb57c62518b8b8
SHA256

b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d
SHA512

8d03ac3eb1e09e1ca44cd0edeaa95cfa15528dac9c7416a8285dd8e0c6bc17fffdab2e4671c08647bfe5004fe4f9cb17dc3a6584ed971a19f5931c4ea94ebea4
SSDEEP

98304:vSi99m5Hc2lsmzkl6WYGYstGFsNzjmZ8e7COrJi9MR6XPChNuz8wW:99GHcpAGYs9Nbe7XsX6h4W

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp

pid process

1676 b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
Loads dropped DLL 1 IoCs

Processes:

b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe

pid process

856 b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2556 taskkill.exe
Runs net.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp

pid process

1676 b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2556 taskkill.exe

pid	process
1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp

pid	process
856	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe

pid	process
2556	taskkill.exe

pid	process
1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp

description	pid	process
Token: SeDebugPrivilege	2556	taskkill.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exeb21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmpcmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 856 wrote to memory of 1676	856	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
PID 856 wrote to memory of 1676	856	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
PID 856 wrote to memory of 1676	856	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
PID 856 wrote to memory of 1676	856	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
PID 856 wrote to memory of 1676	856	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
PID 856 wrote to memory of 1676	856	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
PID 856 wrote to memory of 1676	856	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
PID 1676 wrote to memory of 2612	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 1676 wrote to memory of 2612	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 1676 wrote to memory of 2612	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 1676 wrote to memory of 2612	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 2612 wrote to memory of 2984	2612	cmd.exe	net.exe
PID 2612 wrote to memory of 2984	2612	cmd.exe	net.exe
PID 2612 wrote to memory of 2984	2612	cmd.exe	net.exe
PID 2612 wrote to memory of 2984	2612	cmd.exe	net.exe
PID 2984 wrote to memory of 2532	2984	net.exe	net1.exe
PID 2984 wrote to memory of 2532	2984	net.exe	net1.exe
PID 2984 wrote to memory of 2532	2984	net.exe	net1.exe
PID 2984 wrote to memory of 2532	2984	net.exe	net1.exe
PID 1676 wrote to memory of 2084	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 1676 wrote to memory of 2084	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 1676 wrote to memory of 2084	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 1676 wrote to memory of 2084	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 2084 wrote to memory of 2628	2084	cmd.exe	net.exe
PID 2084 wrote to memory of 2628	2084	cmd.exe	net.exe
PID 2084 wrote to memory of 2628	2084	cmd.exe	net.exe
PID 2084 wrote to memory of 2628	2084	cmd.exe	net.exe
PID 2628 wrote to memory of 2632	2628	net.exe	net1.exe
PID 2628 wrote to memory of 2632	2628	net.exe	net1.exe
PID 2628 wrote to memory of 2632	2628	net.exe	net1.exe
PID 2628 wrote to memory of 2632	2628	net.exe	net1.exe
PID 1676 wrote to memory of 2648	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 1676 wrote to memory of 2648	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 1676 wrote to memory of 2648	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 1676 wrote to memory of 2648	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 2648 wrote to memory of 2576	2648	cmd.exe	net.exe
PID 2648 wrote to memory of 2576	2648	cmd.exe	net.exe
PID 2648 wrote to memory of 2576	2648	cmd.exe	net.exe
PID 2648 wrote to memory of 2576	2648	cmd.exe	net.exe
PID 2576 wrote to memory of 3044	2576	net.exe	net1.exe
PID 2576 wrote to memory of 3044	2576	net.exe	net1.exe
PID 2576 wrote to memory of 3044	2576	net.exe	net1.exe
PID 2576 wrote to memory of 3044	2576	net.exe	net1.exe
PID 1676 wrote to memory of 2548	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 1676 wrote to memory of 2548	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 1676 wrote to memory of 2548	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 1676 wrote to memory of 2548	1676	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 2548 wrote to memory of 2556	2548	cmd.exe	taskkill.exe
PID 2548 wrote to memory of 2556	2548	cmd.exe	taskkill.exe
PID 2548 wrote to memory of 2556	2548	cmd.exe	taskkill.exe
PID 2548 wrote to memory of 2556	2548	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe
"C:\Users\Admin\AppData\Local\Temp\b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\is-8AB5L.tmp\b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8AB5L.tmp\b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp" /SL5="$70120,4399595,824832,C:\Users\Admin\AppData\Local\Temp\b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net stop tacticalagent
3⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\net.exe
net stop tacticalagent
4⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tacticalagent
5⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net stop checkrunner
3⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\net.exe
net stop checkrunner
4⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop checkrunner
5⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net stop tacticalrpc
3⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\net.exe
net stop tacticalrpc
4⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tacticalrpc
5⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /F /IM tacticalrmm.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM tacticalrmm.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-8AB5L.tmp\b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp

Filesize
2.9MB

MD5
e539979bd774004c9b22d69e9f659eb9

SHA1
15b19c5fbfa9d45aff40ee280bab08c18c092992

SHA256
d3e9d55fe3fabf3d4f1edd0911b4f83cba14b390e32098a18a80d11ca0331d72

SHA512
12b70b99a503da2c211eebf83638f638aa1b7f3d0be32ede5914b1005de6e9de8f25011223e9baa01ba593ec4aa725df98845dc80a945f1ec970f79adb580c4a

Download Submit
memory/856-0-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/856-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/856-10-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1676-8-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download
memory/1676-11-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing