c567b70a8b939149c46f0dfdbd7979594fa789007045993a6f981c8f07141505

General

Target

index.exe
Size

35.9MB
MD5

29ecf159613dfcac2b9d4addf9437652
SHA1

3d16bd719dab75027f321593293fa69c38c84bd3
SHA256

c567b70a8b939149c46f0dfdbd7979594fa789007045993a6f981c8f07141505
SHA512

3e82a187d57cbe7df8536f4e5302b49e31cd077ccef43af1207395fc9574501793e0dba39c0d7aa074024acdd326559c632b84c28d91a81d68f70d749cf1eebf
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfS:fMguj8Q4VfvUqFTrYo

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

pid	Process
380	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2544	powershell.exe
2544	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4696	2324	index.exe	86
PID 2324 wrote to memory of 4696	2324	index.exe	86
PID 2324 wrote to memory of 1988	2324	index.exe	87
PID 2324 wrote to memory of 1988	2324	index.exe	87
PID 4696 wrote to memory of 2544	4696	cmd.exe	88
PID 4696 wrote to memory of 2544	4696	cmd.exe	88
PID 1988 wrote to memory of 380	1988	cmd.exe	90
PID 1988 wrote to memory of 380	1988	cmd.exe	90
PID 2544 wrote to memory of 2468	2544	powershell.exe	91
PID 2544 wrote to memory of 2468	2544	powershell.exe	91
PID 2468 wrote to memory of 1044	2468	csc.exe	92
PID 2468 wrote to memory of 1044	2468	csc.exe	92

C:\Users\Admin\AppData\Local\Temp\index.exe
"C:\Users\Admin\AppData\Local\Temp\index.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\cmd.exe
  cmd.exe /C call powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i2qtn0l5\i2qtn0l5.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CA0.tmp" "c:\Users\Admin\AppData\Local\Temp\i2qtn0l5\CSCC4FA9FF025D1450485B1639E1AC7836B.TMP"
        5⤵
        
        PID:1044
- C:\Windows\system32\cmd.exe
  cmd.exe /C call C:\Users\Admin\AppData\Local\Temp\272b366b924ea7ec7a1902f8e5f72a4c.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\system32\timeout.exe
    timeout /t 180 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\272b366b924ea7ec7a1902f8e5f72a4c.bat

Filesize
395B

MD5
fe96e108b84c93809675312c5a14762e

SHA1
3e6a0292a60becc15656e66069da50f119985a06

SHA256
611b943638754ce355ef86685187cf81065cb86f94d58c9a14adc0bc07256317

SHA512
32dc3921c806ec4a459377615d90e693ac292528a0405ee80a7650ebdd2c2277f735b8b174f92e33d38512d795ecff5eac0122f5b33c5a4a264f234e0dbdda5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8CA0.tmp

Filesize
1KB

MD5
234d8ef6b17ef1dc6ba0d78f0e8ea5c3

SHA1
61647fd546b16f27836eef09c2f41acc173de003

SHA256
1a806bbff567423ca3a99e3e766cfe6b490bc9383a381f22016ca31807c6fe0a

SHA512
7f9fc6893cdd759771f8c4492a3d1d89d47f7d8c02d7029d780f57a17526f6b26500b34751bb864ad9d52813df17d938f55db2db9fca27f9e393209b8b8586bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2d0wd53f.nuy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\i2qtn0l5\i2qtn0l5.dll

Filesize
3KB

MD5
c25509ace415d38f2381ef9ddf2e060b

SHA1
7ae094ea8a62cf590d0a03fad5b592cac9f4036f

SHA256
a658984d12a0f5a955e7948dede4a17933da3b092ca94dd96beb58e1b310cc32

SHA512
28ac495754b896503398f9516a99dd6c8b811b257e7063b462a01633a138805c8c0a1699dfffa106b0aab4b9c89f4d5ea361db62f1066a666844d7011eeef44c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2qtn0l5\CSCC4FA9FF025D1450485B1639E1AC7836B.TMP

Filesize
652B

MD5
3394a6dccc21c2e4e9bef12b0cca2601

SHA1
f3381928ac6c29a3edd60af6a78b36a06c022032

SHA256
2a55d698f71e6ff94e02972d6bbedc8a730ccc220365b5df525f077dc3fca450

SHA512
22e79091fa314ea21360a616bfaa6a294806d0eef8dbe14b7c8df759167b6d9d3b1c4bbbffaff4e8101e14beb5eb4d03729d9dbf23707a6c98672e37485dbbaf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2qtn0l5\i2qtn0l5.0.cs

Filesize
737B

MD5
3d57f8f44297464baafa6aeecd3bf4bc

SHA1
f370b4b9f8dba01fbcad979bd663d341f358a509

SHA256
415199eec01052503978381a4f88f4cd970b441fedce519905990ed8b629b0f1

SHA512
4052dd65ca0a505a36c7c344671afcadb8f82cc24b0d1d8362f61565f9d37782e00332908444f6a95286dd1785d074762b27c20be1f361eec67807fad052d798

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2qtn0l5\i2qtn0l5.cmdline

Filesize
369B

MD5
ef5147a909a8e97aee48629aff344ace

SHA1
c0956b8a65e156a44981f80e471d2a43ede47091

SHA256
8ddab7b5ec55b17269ff651cac4c019211971def492ec2e8c7c50707004959e7

SHA512
14b40fd23084a48803879da381507933bb7364eb3fee12a16d8a06ae89c8c9dec84e7cb39ef97745b77393927d79fa40c74257b864f0bf0bc7684c619098927d

Download Submit
memory/2544-4-0x0000027F704D0000-0x0000027F704F2000-memory.dmp

Filesize
136KB

Download
memory/2544-14-0x00007FFD198F0000-0x00007FFD1A3B1000-memory.dmp

Filesize
10.8MB

Download
memory/2544-15-0x00007FFD198F0000-0x00007FFD1A3B1000-memory.dmp

Filesize
10.8MB

Download
memory/2544-3-0x00007FFD198F3000-0x00007FFD198F5000-memory.dmp

Filesize
8KB

Download
memory/2544-28-0x0000027F57F60000-0x0000027F57F68000-memory.dmp

Filesize
32KB

Download
memory/2544-32-0x00007FFD198F0000-0x00007FFD1A3B1000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing