aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89

General

Target

aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe
Size

699KB
MD5

7d2dffc850ea555d40c45f09570475c7
SHA1

6cc0693502bc8caefcde997e260b0798b4fbde1e
SHA256

aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89
SHA512

1e2036443166fea107ba4aab7ea4a5b991761c00d2b8e55ca17cb44fa06e9fbe09fb2c18979034af20be6f2d15c62880bcfcf8854b746080cc827e89a52ef865
SSDEEP

12288:6e37i8LkpEaIptKciGsJn4k4k0sa+NU89WJGTxUQvPCQv1ZdI7n0xRviwkR:6AOjEzpsrJ4kVh99WkUQvqQNZS0xRA

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

Processes:

aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exeRegSvcs.exeiexpress.exe

description	pid	process	target process
PID 1732 set thread context of 2564	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 2564 set thread context of 1180	2564	RegSvcs.exe	Explorer.EXE
PID 2564 set thread context of 2472	2564	RegSvcs.exe	iexpress.exe
PID 2472 set thread context of 1180	2472	iexpress.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exeRegSvcs.exeiexpress.exe

pid	process
1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe
1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe
1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe
2564	RegSvcs.exe
2564	RegSvcs.exe
2564	RegSvcs.exe
2564	RegSvcs.exe
2564	RegSvcs.exe
2564	RegSvcs.exe
2564	RegSvcs.exe
2564	RegSvcs.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe
2472	iexpress.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeExplorer.EXEiexpress.exe

pid process

2564 RegSvcs.exe
1180 Explorer.EXE
1180 Explorer.EXE
2472 iexpress.exe
2472 iexpress.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe

description pid process

Token: SeDebugPrivilege 1732 aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe

pid	process
2564	RegSvcs.exe
1180	Explorer.EXE
1180	Explorer.EXE
2472	iexpress.exe
2472	iexpress.exe

description	pid	process
Token: SeDebugPrivilege	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exeExplorer.EXE

description	pid	process	target process
PID 1732 wrote to memory of 2600	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2600	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2600	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2600	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2600	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2600	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2600	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2564	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2564	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2564	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2564	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2564	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2564	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2564	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2564	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2564	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1732 wrote to memory of 2564	1732	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1180 wrote to memory of 2472	1180	Explorer.EXE	iexpress.exe
PID 1180 wrote to memory of 2472	1180	Explorer.EXE	iexpress.exe
PID 1180 wrote to memory of 2472	1180	Explorer.EXE	iexpress.exe
PID 1180 wrote to memory of 2472	1180	Explorer.EXE	iexpress.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe
"C:\Users\Admin\AppData\Local\Temp\aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2564

C:\Windows\SysWOW64\iexpress.exe
"C:\Windows\SysWOW64\iexpress.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2472

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1180-18-0x0000000008F80000-0x0000000009F6D000-memory.dmp

Filesize
15.9MB

Download
memory/1180-15-0x0000000003A60000-0x0000000003B60000-memory.dmp

Filesize
1024KB

Download
memory/1180-26-0x0000000008F80000-0x0000000009F6D000-memory.dmp

Filesize
15.9MB

Download
memory/1732-4-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/1732-3-0x0000000000560000-0x000000000057A000-memory.dmp

Filesize
104KB

Download
memory/1732-5-0x0000000005140000-0x00000000051CA000-memory.dmp

Filesize
552KB

Download
memory/1732-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1732-2-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1732-11-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1732-1-0x00000000012A0000-0x0000000001352000-memory.dmp

Filesize
712KB

Download
memory/2472-27-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2472-25-0x0000000000CE0000-0x0000000000D7E000-memory.dmp

Filesize
632KB

Download
memory/2472-23-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2472-22-0x0000000002220000-0x0000000002523000-memory.dmp

Filesize
3.0MB

Download
memory/2472-20-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2472-19-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2564-6-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-17-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/2564-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-12-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/2564-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2564-10-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads