b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d

General

Target

b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe
Size

5.0MB
MD5

9a70be83ae4ac6486cc6153e626a6a88
SHA1

c53a284096c93f5c56998c83dfbb57c62518b8b8
SHA256

b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d
SHA512

8d03ac3eb1e09e1ca44cd0edeaa95cfa15528dac9c7416a8285dd8e0c6bc17fffdab2e4671c08647bfe5004fe4f9cb17dc3a6584ed971a19f5931c4ea94ebea4
SSDEEP

98304:vSi99m5Hc2lsmzkl6WYGYstGFsNzjmZ8e7COrJi9MR6XPChNuz8wW:99GHcpAGYs9Nbe7XsX6h4W

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp

pid process

2524 b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2304 taskkill.exe
Runs net.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2304 taskkill.exe

pid	process
2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp

pid	process
2304	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2304	taskkill.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exeb21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmpcmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 5044 wrote to memory of 2524	5044	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
PID 5044 wrote to memory of 2524	5044	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
PID 5044 wrote to memory of 2524	5044	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
PID 2524 wrote to memory of 3248	2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 2524 wrote to memory of 3248	2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 2524 wrote to memory of 3248	2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 3248 wrote to memory of 856	3248	cmd.exe	net.exe
PID 3248 wrote to memory of 856	3248	cmd.exe	net.exe
PID 3248 wrote to memory of 856	3248	cmd.exe	net.exe
PID 856 wrote to memory of 1600	856	net.exe	net1.exe
PID 856 wrote to memory of 1600	856	net.exe	net1.exe
PID 856 wrote to memory of 1600	856	net.exe	net1.exe
PID 2524 wrote to memory of 4020	2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 2524 wrote to memory of 4020	2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 2524 wrote to memory of 4020	2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 4020 wrote to memory of 2916	4020	cmd.exe	net.exe
PID 4020 wrote to memory of 2916	4020	cmd.exe	net.exe
PID 4020 wrote to memory of 2916	4020	cmd.exe	net.exe
PID 2916 wrote to memory of 3864	2916	net.exe	net1.exe
PID 2916 wrote to memory of 3864	2916	net.exe	net1.exe
PID 2916 wrote to memory of 3864	2916	net.exe	net1.exe
PID 2524 wrote to memory of 5028	2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 2524 wrote to memory of 5028	2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 2524 wrote to memory of 5028	2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 5028 wrote to memory of 1196	5028	cmd.exe	net.exe
PID 5028 wrote to memory of 1196	5028	cmd.exe	net.exe
PID 5028 wrote to memory of 1196	5028	cmd.exe	net.exe
PID 1196 wrote to memory of 1176	1196	net.exe	net1.exe
PID 1196 wrote to memory of 1176	1196	net.exe	net1.exe
PID 1196 wrote to memory of 1176	1196	net.exe	net1.exe
PID 2524 wrote to memory of 3060	2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 2524 wrote to memory of 3060	2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 2524 wrote to memory of 3060	2524	b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp	cmd.exe
PID 3060 wrote to memory of 2304	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2304	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2304	3060	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe
"C:\Users\Admin\AppData\Local\Temp\b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\is-PO9KO.tmp\b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PO9KO.tmp\b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp" /SL5="$12006A,4399595,824832,C:\Users\Admin\AppData\Local\Temp\b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net stop tacticalagent
3⤵
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\net.exe
net stop tacticalagent
4⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tacticalagent
5⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net stop checkrunner
3⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\net.exe
net stop checkrunner
4⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop checkrunner
5⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net stop tacticalrpc
3⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\net.exe
net stop tacticalrpc
4⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tacticalrpc
5⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /F /IM tacticalrmm.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM tacticalrmm.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-PO9KO.tmp\b21108773bcfe94baed6d0c71eb19a060977f3b5486f5cc5b8091faa36828a5d.tmp

Filesize
2.9MB

MD5
e539979bd774004c9b22d69e9f659eb9

SHA1
15b19c5fbfa9d45aff40ee280bab08c18c092992

SHA256
d3e9d55fe3fabf3d4f1edd0911b4f83cba14b390e32098a18a80d11ca0331d72

SHA512
12b70b99a503da2c211eebf83638f638aa1b7f3d0be32ede5914b1005de6e9de8f25011223e9baa01ba593ec4aa725df98845dc80a945f1ec970f79adb580c4a

Download Submit
memory/2524-6-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download
memory/2524-9-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download
memory/5044-0-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/5044-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5044-8-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download

Analysis

Sharing