e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e

General

Target

e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe
Size

729KB
MD5

1355c2a235dbf459158c644d577eafd7
SHA1

2d695f6971c38b94c922066b56b3c2f604e0f74f
SHA256

e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e
SHA512

f83a84bceb5c86cba810a06765d406cd6c926cc858c94fb285e175a278748ec226ff34d417e5c2c96f57cbf476df5d8575d0772517568749788847fef9466ac1
SSDEEP

12288:a8Bx504bFIqAXOSot1na6F7pkDG+hA1QcnoZE5iU6BfLPpz6SPkR:9Bw4bAeSI7pk7A1AZEwLFLPpz6H

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

Processes:

e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exeRegSvcs.exeiexpress.exe

description	pid	process	target process
PID 1028 set thread context of 2648	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 2648 set thread context of 1152	2648	RegSvcs.exe	Explorer.EXE
PID 2648 set thread context of 2416	2648	RegSvcs.exe	iexpress.exe
PID 2416 set thread context of 1152	2416	iexpress.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exeRegSvcs.exeiexpress.exe

pid	process
1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe
1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe
1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe
1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe
2648	RegSvcs.exe
2648	RegSvcs.exe
2648	RegSvcs.exe
2648	RegSvcs.exe
2648	RegSvcs.exe
2648	RegSvcs.exe
2648	RegSvcs.exe
2648	RegSvcs.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe
2416	iexpress.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeExplorer.EXEiexpress.exe

pid process

2648 RegSvcs.exe
1152 Explorer.EXE
1152 Explorer.EXE
2416 iexpress.exe
2416 iexpress.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe

description pid process

Token: SeDebugPrivilege 1028 e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe

pid	process
2648	RegSvcs.exe
1152	Explorer.EXE
1152	Explorer.EXE
2416	iexpress.exe
2416	iexpress.exe

description	pid	process
Token: SeDebugPrivilege	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exeExplorer.EXE

description	pid	process	target process
PID 1028 wrote to memory of 2576	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2576	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2576	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2576	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2576	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2576	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2576	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2580	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2580	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2580	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2580	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2580	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2580	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2580	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2648	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2648	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2648	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2648	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2648	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2648	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2648	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2648	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2648	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1028 wrote to memory of 2648	1028	e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe	RegSvcs.exe
PID 1152 wrote to memory of 2416	1152	Explorer.EXE	iexpress.exe
PID 1152 wrote to memory of 2416	1152	Explorer.EXE	iexpress.exe
PID 1152 wrote to memory of 2416	1152	Explorer.EXE	iexpress.exe
PID 1152 wrote to memory of 2416	1152	Explorer.EXE	iexpress.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe
"C:\Users\Admin\AppData\Local\Temp\e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2648

C:\Windows\SysWOW64\iexpress.exe
"C:\Windows\SysWOW64\iexpress.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/1028-11-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/1028-2-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/1028-3-0x0000000000320000-0x000000000033A000-memory.dmp

Filesize
104KB

Download
memory/1028-4-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1028-5-0x0000000005DD0000-0x0000000005E5A000-memory.dmp

Filesize
552KB

Download
memory/1028-1-0x00000000011F0000-0x00000000012AA000-memory.dmp

Filesize
744KB

Download
memory/1152-15-0x0000000003BD0000-0x0000000003CD0000-memory.dmp

Filesize
1024KB

Download
memory/2416-24-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2416-18-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2416-23-0x0000000000980000-0x0000000000A1E000-memory.dmp

Filesize
632KB

Download
memory/2416-25-0x0000000000980000-0x0000000000A1E000-memory.dmp

Filesize
632KB

Download
memory/2416-22-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2416-21-0x0000000002140000-0x0000000002443000-memory.dmp

Filesize
3.0MB

Download
memory/2416-19-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2648-10-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-17-0x00000000002C0000-0x00000000002DF000-memory.dmp

Filesize
124KB

Download
memory/2648-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-12-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/2648-6-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads