Analysis Overview
SHA256
480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e
Threat Level: Shows suspicious behavior
The file 480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 17:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 17:49
Reported
2024-06-12 17:52
Platform
win7-20240611-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2072 set thread context of 2488 | N/A | C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe
"C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.65.67:48396 | tcp |
Files
memory/2072-0-0x000000007418E000-0x000000007418F000-memory.dmp
memory/2072-1-0x0000000000E50000-0x0000000001354000-memory.dmp
memory/2072-2-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2072-3-0x00000000051A0000-0x0000000005376000-memory.dmp
memory/2072-4-0x0000000005380000-0x000000000550E000-memory.dmp
memory/2072-5-0x0000000000410000-0x000000000042C000-memory.dmp
memory/2072-19-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-27-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-35-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-6-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-45-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-7-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-9-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-65-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-64-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-61-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-59-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-57-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-55-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-53-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-51-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-49-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-66-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2072-47-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-43-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-41-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-39-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-37-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-33-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-31-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-29-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-25-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-23-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-21-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-17-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-15-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-13-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2072-11-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2488-68-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2488-69-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2488-80-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2488-81-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2072-82-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2488-83-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2488-84-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2488-85-0x0000000074180000-0x000000007486E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 17:49
Reported
2024-06-12 17:52
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 596 set thread context of 1032 | N/A | C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe
"C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
Files
memory/596-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp
memory/596-1-0x0000000000410000-0x0000000000914000-memory.dmp
memory/596-2-0x00000000053B0000-0x000000000544C000-memory.dmp
memory/596-3-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/596-4-0x0000000005580000-0x0000000005756000-memory.dmp
memory/596-5-0x0000000005760000-0x00000000058EE000-memory.dmp
memory/596-6-0x00000000052C0000-0x00000000052DC000-memory.dmp
memory/596-11-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-14-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-66-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/1032-68-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/596-41-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-70-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/596-67-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/596-64-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/1032-71-0x00000000749E0000-0x0000000074A8B000-memory.dmp
memory/596-62-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-60-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-58-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-57-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-54-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-52-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-50-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-48-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-46-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-45-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-42-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-38-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-37-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-34-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-33-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-30-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-28-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-26-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-24-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-22-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-18-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-16-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-12-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-20-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-8-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/596-7-0x00000000052C0000-0x00000000052D5000-memory.dmp
memory/1032-72-0x0000000005AD0000-0x0000000006074000-memory.dmp
memory/1032-73-0x00000000055C0000-0x0000000005652000-memory.dmp
memory/1032-74-0x0000000005690000-0x000000000569A000-memory.dmp
memory/1032-76-0x00000000749E0000-0x0000000074A8B000-memory.dmp