c567b70a8b939149c46f0dfdbd7979594fa789007045993a6f981c8f07141505

General

Target

index.exe
Size

35.9MB
MD5

29ecf159613dfcac2b9d4addf9437652
SHA1

3d16bd719dab75027f321593293fa69c38c84bd3
SHA256

c567b70a8b939149c46f0dfdbd7979594fa789007045993a6f981c8f07141505
SHA512

3e82a187d57cbe7df8536f4e5302b49e31cd077ccef43af1207395fc9574501793e0dba39c0d7aa074024acdd326559c632b84c28d91a81d68f70d749cf1eebf
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfS:fMguj8Q4VfvUqFTrYo

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

pid	Process
740	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1004	powershell.exe
1004	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 1816	4784	index.exe	87
PID 4784 wrote to memory of 1816	4784	index.exe	87
PID 4784 wrote to memory of 2436	4784	index.exe	88
PID 4784 wrote to memory of 2436	4784	index.exe	88
PID 1816 wrote to memory of 1004	1816	cmd.exe	89
PID 1816 wrote to memory of 1004	1816	cmd.exe	89
PID 2436 wrote to memory of 740	2436	cmd.exe	90
PID 2436 wrote to memory of 740	2436	cmd.exe	90
PID 1004 wrote to memory of 1892	1004	powershell.exe	91
PID 1004 wrote to memory of 1892	1004	powershell.exe	91
PID 1892 wrote to memory of 3272	1892	csc.exe	92
PID 1892 wrote to memory of 3272	1892	csc.exe	92

C:\Users\Admin\AppData\Local\Temp\index.exe
"C:\Users\Admin\AppData\Local\Temp\index.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\system32\cmd.exe
  cmd.exe /C call powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sj1okaex\sj1okaex.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB125.tmp" "c:\Users\Admin\AppData\Local\Temp\sj1okaex\CSC71215380453842DE9EC66798FB9F5A8.TMP"
        5⤵
        
        PID:3272
- C:\Windows\system32\cmd.exe
  cmd.exe /C call C:\Users\Admin\AppData\Local\Temp\272b366b924ea7ec7a1902f8e5f72a4c.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\timeout.exe
    timeout /t 180 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\272b366b924ea7ec7a1902f8e5f72a4c.bat

Filesize
395B

MD5
fe96e108b84c93809675312c5a14762e

SHA1
3e6a0292a60becc15656e66069da50f119985a06

SHA256
611b943638754ce355ef86685187cf81065cb86f94d58c9a14adc0bc07256317

SHA512
32dc3921c806ec4a459377615d90e693ac292528a0405ee80a7650ebdd2c2277f735b8b174f92e33d38512d795ecff5eac0122f5b33c5a4a264f234e0dbdda5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB125.tmp

Filesize
1KB

MD5
6364fb0961b49b55c00e218aaf4fff13

SHA1
bcab0b15c857a3612213c33dc848afc1d467254c

SHA256
528e5f4345e1b0e65c4511c8acfdebf668636be59bd6ac5d5aab5718edf5b7e1

SHA512
61b1dffa00127168ca8be2258f97146a8ca2a00b5d77edb4300b85d57abd14ed57824219e61f21a5c629b94f042adaffc9d88a98d184adae1a74c1f5571590b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c0zq4e1e.fql.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sj1okaex\sj1okaex.dll

Filesize
3KB

MD5
1a8c8afe8a0ab7b1fc16fb95085979c2

SHA1
06581903abe5d812f17e8447364b72041327726c

SHA256
e96b51ec07dc63e5510fb316f1b6ec6444d45d78a5bb56a068e39f578b688f28

SHA512
e483d10367317209a38c60f9fce0ea6a195f3fdb7a4309d453bdb8479377643745b712e60617f5a5454cb83e9b865a6a2e2655490e2c4d0b3ca3025579515170

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sj1okaex\CSC71215380453842DE9EC66798FB9F5A8.TMP

Filesize
652B

MD5
e58a5cb25946e8ac4a1cb711dd6f9290

SHA1
aa3c647ec20230b8226ae37646ac323a9e74ae44

SHA256
a46abe51d780cab33e9f3986a8a48c2e51a88825e4b66510686d24715db803d9

SHA512
e5c035623c888be962b7013a20968c021e1864d31ac4d4636b0f20ee41cfed1d6ecfda8b4660350faa4fe55cae57aae07b4fe80761981a51fb7a964985f4890c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sj1okaex\sj1okaex.0.cs

Filesize
737B

MD5
3d57f8f44297464baafa6aeecd3bf4bc

SHA1
f370b4b9f8dba01fbcad979bd663d341f358a509

SHA256
415199eec01052503978381a4f88f4cd970b441fedce519905990ed8b629b0f1

SHA512
4052dd65ca0a505a36c7c344671afcadb8f82cc24b0d1d8362f61565f9d37782e00332908444f6a95286dd1785d074762b27c20be1f361eec67807fad052d798

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sj1okaex\sj1okaex.cmdline

Filesize
369B

MD5
8d2889f0e5293ddd38c33c188eb5acc0

SHA1
b32c3c440e88dd8c0abd154574ef75826e6d016a

SHA256
c0340125233c9530ef62fa49b53085dc06bb0ed47a5f21605494c45dee6dcdf3

SHA512
01444dee2109fb43dcfdbf7dc938aba951bb67cdeca48c41930bb0228e198580d343eb642be53a19c75b6efed5cc0e0aceb1144f980e48ee8f24f3573fcb5205

Download Submit
memory/1004-4-0x00000203FD530000-0x00000203FD552000-memory.dmp

Filesize
136KB

Download
memory/1004-14-0x00007FF8CEC50000-0x00007FF8CF711000-memory.dmp

Filesize
10.8MB

Download
memory/1004-15-0x00007FF8CEC50000-0x00007FF8CF711000-memory.dmp

Filesize
10.8MB

Download
memory/1004-3-0x00007FF8CEC53000-0x00007FF8CEC55000-memory.dmp

Filesize
8KB

Download
memory/1004-28-0x00000203FD500000-0x00000203FD508000-memory.dmp

Filesize
32KB

Download
memory/1004-32-0x00007FF8CEC50000-0x00007FF8CF711000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing