Analysis
-
max time kernel
111s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 13:40
Behavioral task
behavioral1
Sample
876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe
Resource
win7-20241010-en
General
-
Target
876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe
-
Size
5.2MB
-
MD5
51bef9541eb9ed0ac083cb905f1464b0
-
SHA1
ce3164abea2aa4bfb4eacea75d7585bc3c15da6a
-
SHA256
876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9f
-
SHA512
67bf7a37114e9b628c872ee56c87092b5e4f167cd00214eaa981555557e40ed4d5e52e2f6bf08a27e0b2a999fa95ac309067afcc4b0ec05f30cfdde9afd0be0e
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lX:RWWBibf56utgpPFotBER/mQ32lUr
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x000c000000012262-3.dat cobalt_reflective_dll behavioral1/files/0x0009000000016ace-56.dat cobalt_reflective_dll behavioral1/files/0x00050000000194a3-69.dat cobalt_reflective_dll behavioral1/files/0x00050000000194ef-79.dat cobalt_reflective_dll behavioral1/files/0x00050000000195a7-118.dat cobalt_reflective_dll behavioral1/files/0x00050000000195a9-124.dat cobalt_reflective_dll behavioral1/files/0x00050000000195ad-134.dat cobalt_reflective_dll behavioral1/files/0x00050000000195af-138.dat cobalt_reflective_dll behavioral1/files/0x00050000000195ab-128.dat cobalt_reflective_dll behavioral1/files/0x000500000001957c-113.dat cobalt_reflective_dll behavioral1/files/0x0005000000019515-101.dat cobalt_reflective_dll behavioral1/files/0x0005000000019547-105.dat cobalt_reflective_dll behavioral1/files/0x000500000001950f-87.dat cobalt_reflective_dll behavioral1/files/0x00050000000194eb-77.dat cobalt_reflective_dll behavioral1/files/0x000800000001756b-63.dat cobalt_reflective_dll behavioral1/files/0x0008000000016ce9-48.dat cobalt_reflective_dll behavioral1/files/0x0009000000016ce0-40.dat cobalt_reflective_dll behavioral1/files/0x0007000000016ccc-39.dat cobalt_reflective_dll behavioral1/files/0x0007000000016cd8-31.dat cobalt_reflective_dll behavioral1/files/0x0007000000016cab-11.dat cobalt_reflective_dll behavioral1/files/0x0009000000016c23-7.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 44 IoCs
resource yara_rule behavioral1/memory/1796-16-0x000000013FB10000-0x000000013FE61000-memory.dmp xmrig behavioral1/memory/768-15-0x000000013FF40000-0x0000000140291000-memory.dmp xmrig behavioral1/memory/1832-64-0x000000013FAD0000-0x000000013FE21000-memory.dmp xmrig behavioral1/memory/2928-98-0x000000013F1C0000-0x000000013F511000-memory.dmp xmrig behavioral1/memory/2740-141-0x000000013FAD0000-0x000000013FE21000-memory.dmp xmrig behavioral1/memory/2968-142-0x000000013F3F0000-0x000000013F741000-memory.dmp xmrig behavioral1/memory/1832-144-0x000000013F2F0000-0x000000013F641000-memory.dmp xmrig behavioral1/memory/1832-110-0x0000000002310000-0x0000000002661000-memory.dmp xmrig behavioral1/memory/1804-109-0x000000013F640000-0x000000013F991000-memory.dmp xmrig behavioral1/memory/1832-100-0x0000000002310000-0x0000000002661000-memory.dmp xmrig behavioral1/memory/2684-99-0x000000013F380000-0x000000013F6D1000-memory.dmp xmrig behavioral1/memory/556-159-0x000000013F070000-0x000000013F3C1000-memory.dmp xmrig behavioral1/memory/2000-165-0x000000013FCE0000-0x0000000140031000-memory.dmp xmrig behavioral1/memory/1704-164-0x000000013FC50000-0x000000013FFA1000-memory.dmp xmrig behavioral1/memory/1600-163-0x000000013FF00000-0x0000000140251000-memory.dmp xmrig behavioral1/memory/1992-162-0x000000013F0B0000-0x000000013F401000-memory.dmp xmrig behavioral1/memory/2312-161-0x000000013FBB0000-0x000000013FF01000-memory.dmp xmrig behavioral1/memory/932-160-0x000000013FB30000-0x000000013FE81000-memory.dmp xmrig behavioral1/memory/2824-82-0x000000013FF10000-0x0000000140261000-memory.dmp xmrig behavioral1/memory/1832-81-0x000000013FF10000-0x0000000140261000-memory.dmp xmrig behavioral1/memory/2616-90-0x000000013FEA0000-0x00000001401F1000-memory.dmp xmrig behavioral1/memory/1832-166-0x000000013F2F0000-0x000000013F641000-memory.dmp xmrig behavioral1/memory/2812-59-0x000000013F1D0000-0x000000013F521000-memory.dmp xmrig behavioral1/memory/2440-44-0x000000013F490000-0x000000013F7E1000-memory.dmp xmrig behavioral1/memory/2028-43-0x000000013FF30000-0x0000000140281000-memory.dmp xmrig behavioral1/memory/1832-51-0x000000013F2F0000-0x000000013F641000-memory.dmp xmrig behavioral1/memory/1832-38-0x0000000002310000-0x0000000002661000-memory.dmp xmrig behavioral1/memory/3060-37-0x000000013FD80000-0x00000001400D1000-memory.dmp xmrig behavioral1/memory/2836-26-0x000000013F590000-0x000000013F8E1000-memory.dmp xmrig behavioral1/memory/1832-28-0x000000013FF30000-0x0000000140281000-memory.dmp xmrig behavioral1/memory/768-219-0x000000013FF40000-0x0000000140291000-memory.dmp xmrig behavioral1/memory/1796-220-0x000000013FB10000-0x000000013FE61000-memory.dmp xmrig behavioral1/memory/2836-222-0x000000013F590000-0x000000013F8E1000-memory.dmp xmrig behavioral1/memory/3060-224-0x000000013FD80000-0x00000001400D1000-memory.dmp xmrig behavioral1/memory/2028-226-0x000000013FF30000-0x0000000140281000-memory.dmp xmrig behavioral1/memory/2440-228-0x000000013F490000-0x000000013F7E1000-memory.dmp xmrig behavioral1/memory/2928-234-0x000000013F1C0000-0x000000013F511000-memory.dmp xmrig behavioral1/memory/2812-236-0x000000013F1D0000-0x000000013F521000-memory.dmp xmrig behavioral1/memory/2740-238-0x000000013FAD0000-0x000000013FE21000-memory.dmp xmrig behavioral1/memory/2968-246-0x000000013F3F0000-0x000000013F741000-memory.dmp xmrig behavioral1/memory/2824-247-0x000000013FF10000-0x0000000140261000-memory.dmp xmrig behavioral1/memory/2616-249-0x000000013FEA0000-0x00000001401F1000-memory.dmp xmrig behavioral1/memory/2684-251-0x000000013F380000-0x000000013F6D1000-memory.dmp xmrig behavioral1/memory/1804-253-0x000000013F640000-0x000000013F991000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 768 CtvHWpW.exe 1796 nvTxmfn.exe 2836 KEeuKvA.exe 3060 nkoNiYx.exe 2028 GBLhyou.exe 2440 BdrMiUM.exe 2928 zzZnAVI.exe 2812 VnLlkZa.exe 2740 QyLtHbZ.exe 2968 fybxQsD.exe 2824 kOMzxrK.exe 2616 CUSdMed.exe 2684 juJYHlC.exe 1804 idEAYoN.exe 556 ANAeLpi.exe 932 XYjGVFY.exe 2312 YnskFHR.exe 1992 QyBEHWQ.exe 1600 JkZQJLz.exe 1704 LxRpEFt.exe 2000 cAModsS.exe -
Loads dropped DLL 21 IoCs
pid Process 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe -
resource yara_rule behavioral1/memory/1832-0-0x000000013F2F0000-0x000000013F641000-memory.dmp upx behavioral1/files/0x000c000000012262-3.dat upx behavioral1/memory/1796-16-0x000000013FB10000-0x000000013FE61000-memory.dmp upx behavioral1/memory/768-15-0x000000013FF40000-0x0000000140291000-memory.dmp upx behavioral1/files/0x0009000000016ace-56.dat upx behavioral1/files/0x00050000000194a3-69.dat upx behavioral1/files/0x00050000000194ef-79.dat upx behavioral1/memory/2928-98-0x000000013F1C0000-0x000000013F511000-memory.dmp upx behavioral1/files/0x00050000000195a7-118.dat upx behavioral1/files/0x00050000000195a9-124.dat upx behavioral1/files/0x00050000000195ad-134.dat upx behavioral1/memory/2740-141-0x000000013FAD0000-0x000000013FE21000-memory.dmp upx behavioral1/files/0x00050000000195af-138.dat upx behavioral1/memory/2968-142-0x000000013F3F0000-0x000000013F741000-memory.dmp upx behavioral1/files/0x00050000000195ab-128.dat upx behavioral1/memory/1832-144-0x000000013F2F0000-0x000000013F641000-memory.dmp upx behavioral1/files/0x000500000001957c-113.dat upx behavioral1/memory/1804-109-0x000000013F640000-0x000000013F991000-memory.dmp upx behavioral1/files/0x0005000000019515-101.dat upx behavioral1/memory/2684-99-0x000000013F380000-0x000000013F6D1000-memory.dmp upx behavioral1/memory/556-159-0x000000013F070000-0x000000013F3C1000-memory.dmp upx behavioral1/memory/2000-165-0x000000013FCE0000-0x0000000140031000-memory.dmp upx behavioral1/memory/1704-164-0x000000013FC50000-0x000000013FFA1000-memory.dmp upx behavioral1/memory/1600-163-0x000000013FF00000-0x0000000140251000-memory.dmp upx behavioral1/memory/1992-162-0x000000013F0B0000-0x000000013F401000-memory.dmp upx behavioral1/memory/2312-161-0x000000013FBB0000-0x000000013FF01000-memory.dmp upx behavioral1/memory/932-160-0x000000013FB30000-0x000000013FE81000-memory.dmp upx behavioral1/files/0x0005000000019547-105.dat upx behavioral1/memory/2824-82-0x000000013FF10000-0x0000000140261000-memory.dmp upx behavioral1/memory/2968-71-0x000000013F3F0000-0x000000013F741000-memory.dmp upx behavioral1/memory/2616-90-0x000000013FEA0000-0x00000001401F1000-memory.dmp upx behavioral1/files/0x000500000001950f-87.dat upx behavioral1/memory/1832-166-0x000000013F2F0000-0x000000013F641000-memory.dmp upx behavioral1/files/0x00050000000194eb-77.dat upx behavioral1/memory/2812-59-0x000000013F1D0000-0x000000013F521000-memory.dmp upx behavioral1/memory/2740-65-0x000000013FAD0000-0x000000013FE21000-memory.dmp upx behavioral1/files/0x000800000001756b-63.dat upx behavioral1/memory/2440-44-0x000000013F490000-0x000000013F7E1000-memory.dmp upx behavioral1/memory/2028-43-0x000000013FF30000-0x0000000140281000-memory.dmp upx behavioral1/memory/1832-51-0x000000013F2F0000-0x000000013F641000-memory.dmp upx behavioral1/memory/2928-50-0x000000013F1C0000-0x000000013F511000-memory.dmp upx behavioral1/files/0x0008000000016ce9-48.dat upx behavioral1/files/0x0009000000016ce0-40.dat upx behavioral1/files/0x0007000000016ccc-39.dat upx behavioral1/memory/3060-37-0x000000013FD80000-0x00000001400D1000-memory.dmp upx behavioral1/memory/2836-26-0x000000013F590000-0x000000013F8E1000-memory.dmp upx behavioral1/files/0x0007000000016cd8-31.dat upx behavioral1/files/0x0007000000016cab-11.dat upx behavioral1/files/0x0009000000016c23-7.dat upx behavioral1/memory/768-219-0x000000013FF40000-0x0000000140291000-memory.dmp upx behavioral1/memory/1796-220-0x000000013FB10000-0x000000013FE61000-memory.dmp upx behavioral1/memory/2836-222-0x000000013F590000-0x000000013F8E1000-memory.dmp upx behavioral1/memory/3060-224-0x000000013FD80000-0x00000001400D1000-memory.dmp upx behavioral1/memory/2028-226-0x000000013FF30000-0x0000000140281000-memory.dmp upx behavioral1/memory/2440-228-0x000000013F490000-0x000000013F7E1000-memory.dmp upx behavioral1/memory/2928-234-0x000000013F1C0000-0x000000013F511000-memory.dmp upx behavioral1/memory/2812-236-0x000000013F1D0000-0x000000013F521000-memory.dmp upx behavioral1/memory/2740-238-0x000000013FAD0000-0x000000013FE21000-memory.dmp upx behavioral1/memory/2968-246-0x000000013F3F0000-0x000000013F741000-memory.dmp upx behavioral1/memory/2824-247-0x000000013FF10000-0x0000000140261000-memory.dmp upx behavioral1/memory/2616-249-0x000000013FEA0000-0x00000001401F1000-memory.dmp upx behavioral1/memory/2684-251-0x000000013F380000-0x000000013F6D1000-memory.dmp upx behavioral1/memory/1804-253-0x000000013F640000-0x000000013F991000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\BdrMiUM.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\kOMzxrK.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\KEeuKvA.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\zzZnAVI.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\QyLtHbZ.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\idEAYoN.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\LxRpEFt.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\nkoNiYx.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\VnLlkZa.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\fybxQsD.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\YnskFHR.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\CtvHWpW.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\nvTxmfn.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\GBLhyou.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\juJYHlC.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\CUSdMed.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\ANAeLpi.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\XYjGVFY.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\QyBEHWQ.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\JkZQJLz.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe File created C:\Windows\System\cAModsS.exe 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe Token: SeLockMemoryPrivilege 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1832 wrote to memory of 768 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 31 PID 1832 wrote to memory of 768 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 31 PID 1832 wrote to memory of 768 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 31 PID 1832 wrote to memory of 1796 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 32 PID 1832 wrote to memory of 1796 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 32 PID 1832 wrote to memory of 1796 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 32 PID 1832 wrote to memory of 2836 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 33 PID 1832 wrote to memory of 2836 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 33 PID 1832 wrote to memory of 2836 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 33 PID 1832 wrote to memory of 2028 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 34 PID 1832 wrote to memory of 2028 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 34 PID 1832 wrote to memory of 2028 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 34 PID 1832 wrote to memory of 3060 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 35 PID 1832 wrote to memory of 3060 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 35 PID 1832 wrote to memory of 3060 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 35 PID 1832 wrote to memory of 2440 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 36 PID 1832 wrote to memory of 2440 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 36 PID 1832 wrote to memory of 2440 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 36 PID 1832 wrote to memory of 2928 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 37 PID 1832 wrote to memory of 2928 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 37 PID 1832 wrote to memory of 2928 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 37 PID 1832 wrote to memory of 2812 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 38 PID 1832 wrote to memory of 2812 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 38 PID 1832 wrote to memory of 2812 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 38 PID 1832 wrote to memory of 2740 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 39 PID 1832 wrote to memory of 2740 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 39 PID 1832 wrote to memory of 2740 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 39 PID 1832 wrote to memory of 2968 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 40 PID 1832 wrote to memory of 2968 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 40 PID 1832 wrote to memory of 2968 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 40 PID 1832 wrote to memory of 2824 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 41 PID 1832 wrote to memory of 2824 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 41 PID 1832 wrote to memory of 2824 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 41 PID 1832 wrote to memory of 2684 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 42 PID 1832 wrote to memory of 2684 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 42 PID 1832 wrote to memory of 2684 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 42 PID 1832 wrote to memory of 2616 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 43 PID 1832 wrote to memory of 2616 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 43 PID 1832 wrote to memory of 2616 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 43 PID 1832 wrote to memory of 1804 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 44 PID 1832 wrote to memory of 1804 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 44 PID 1832 wrote to memory of 1804 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 44 PID 1832 wrote to memory of 556 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 45 PID 1832 wrote to memory of 556 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 45 PID 1832 wrote to memory of 556 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 45 PID 1832 wrote to memory of 932 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 46 PID 1832 wrote to memory of 932 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 46 PID 1832 wrote to memory of 932 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 46 PID 1832 wrote to memory of 2312 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 47 PID 1832 wrote to memory of 2312 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 47 PID 1832 wrote to memory of 2312 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 47 PID 1832 wrote to memory of 1992 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 48 PID 1832 wrote to memory of 1992 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 48 PID 1832 wrote to memory of 1992 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 48 PID 1832 wrote to memory of 1600 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 49 PID 1832 wrote to memory of 1600 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 49 PID 1832 wrote to memory of 1600 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 49 PID 1832 wrote to memory of 1704 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 50 PID 1832 wrote to memory of 1704 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 50 PID 1832 wrote to memory of 1704 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 50 PID 1832 wrote to memory of 2000 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 51 PID 1832 wrote to memory of 2000 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 51 PID 1832 wrote to memory of 2000 1832 876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe"C:\Users\Admin\AppData\Local\Temp\876182fa4f18883d9c5b1643e97804595a268268d110f7f11ed07552e5577c9fN.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\System\CtvHWpW.exeC:\Windows\System\CtvHWpW.exe2⤵
- Executes dropped EXE
PID:768
-
-
C:\Windows\System\nvTxmfn.exeC:\Windows\System\nvTxmfn.exe2⤵
- Executes dropped EXE
PID:1796
-
-
C:\Windows\System\KEeuKvA.exeC:\Windows\System\KEeuKvA.exe2⤵
- Executes dropped EXE
PID:2836
-
-
C:\Windows\System\GBLhyou.exeC:\Windows\System\GBLhyou.exe2⤵
- Executes dropped EXE
PID:2028
-
-
C:\Windows\System\nkoNiYx.exeC:\Windows\System\nkoNiYx.exe2⤵
- Executes dropped EXE
PID:3060
-
-
C:\Windows\System\BdrMiUM.exeC:\Windows\System\BdrMiUM.exe2⤵
- Executes dropped EXE
PID:2440
-
-
C:\Windows\System\zzZnAVI.exeC:\Windows\System\zzZnAVI.exe2⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\System\VnLlkZa.exeC:\Windows\System\VnLlkZa.exe2⤵
- Executes dropped EXE
PID:2812
-
-
C:\Windows\System\QyLtHbZ.exeC:\Windows\System\QyLtHbZ.exe2⤵
- Executes dropped EXE
PID:2740
-
-
C:\Windows\System\fybxQsD.exeC:\Windows\System\fybxQsD.exe2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\System\kOMzxrK.exeC:\Windows\System\kOMzxrK.exe2⤵
- Executes dropped EXE
PID:2824
-
-
C:\Windows\System\juJYHlC.exeC:\Windows\System\juJYHlC.exe2⤵
- Executes dropped EXE
PID:2684
-
-
C:\Windows\System\CUSdMed.exeC:\Windows\System\CUSdMed.exe2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\System\idEAYoN.exeC:\Windows\System\idEAYoN.exe2⤵
- Executes dropped EXE
PID:1804
-
-
C:\Windows\System\ANAeLpi.exeC:\Windows\System\ANAeLpi.exe2⤵
- Executes dropped EXE
PID:556
-
-
C:\Windows\System\XYjGVFY.exeC:\Windows\System\XYjGVFY.exe2⤵
- Executes dropped EXE
PID:932
-
-
C:\Windows\System\YnskFHR.exeC:\Windows\System\YnskFHR.exe2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Windows\System\QyBEHWQ.exeC:\Windows\System\QyBEHWQ.exe2⤵
- Executes dropped EXE
PID:1992
-
-
C:\Windows\System\JkZQJLz.exeC:\Windows\System\JkZQJLz.exe2⤵
- Executes dropped EXE
PID:1600
-
-
C:\Windows\System\LxRpEFt.exeC:\Windows\System\LxRpEFt.exe2⤵
- Executes dropped EXE
PID:1704
-
-
C:\Windows\System\cAModsS.exeC:\Windows\System\cAModsS.exe2⤵
- Executes dropped EXE
PID:2000
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5f75c9e50e53154f56bba3884c3a093c6
SHA1a68e821bacdc81c498cc19cc0c349014473b369f
SHA2567415b198cd86b1223a7a608055d1d6f67fc36d33ffd2861536ea25429fbf7ea0
SHA5121fcfc17213e1132f4a82b5465800b44979ad165e6125a1daa693b4c44462b1f379ee1197db0029fe837fe94b22afd02be0263d7f6c77da40d6e3a1db01746725
-
Filesize
5.2MB
MD56c319b5c6a6b9858153bfce2dd28b90a
SHA10d2f0fac341af3c5f652e234fa3e72a4c39a2438
SHA25644ade5e563328a571c775a13a683760458d58038733ebb1c8f3795a0efa11fe3
SHA512d09be5d2ee17c2e69696b409447806b1c781c0a1953b27178326231cfdf3882e4424450267f3a77e86bce11fa27ed4470149a6e2ce64394e34f32c23dfeb2a5e
-
Filesize
5.2MB
MD54788e506f18e4501388c75b4190e2a7b
SHA12136ccb9ad9fe8b030e408fdb550d10515f9fb88
SHA25629eaca277b311a79473e01bc0d4a527e38fd3558f795dfce1d4c7ba17ddd4d72
SHA51219649cc5739a8025596365050e71c4fe4988c98f39bb7332bbccba207edc5a5cd17c41495b2367d7c318cb84c1375f5dac8eda48be84c6435df1e28879f51037
-
Filesize
5.2MB
MD548ceaee9b62b13a8247f25619c9eb1be
SHA193ae41d2f51cb819ead5dc2981f62655eebb0904
SHA25636f22ebde825d068585403de1689e85fc2ea3e8322e2fdd2267680569ca7dbd3
SHA5124103cd620eeeaef24d7d6508ece5ba51cdd890d6fedb34299f86e1f61169e7c53f9ccf4bc988821dc40a3a512e6fbc11346804e9b6c7715bd7e69804ca298ec3
-
Filesize
5.2MB
MD52608489fdbd8edadb0f419068e44ccdf
SHA18d200d8188573743f69320614207cde460ec4935
SHA25664283b03113985861c170e42542cc1717294768a739a399db66c0cfcdfc4ac6e
SHA51205a4b45c8455d03880a9f7f0c393bd29f3b7ee81470458e8df826b699c30842510864abcc75fb739b1067836363d9f79d4ba36bc0abe1286874a089d1d9bd8d2
-
Filesize
5.2MB
MD527a24abe8460b3426ebecb36b8fe268e
SHA170df01daa8fb5db44540a1b168ed9be369021d6f
SHA256333cdaa89b0f3e8e080e196f6d12f879e7c0576356ae205974def713acb6c3ad
SHA5122679db8b9db6c8b3e5f0b261b83cead7b0e19a63d5052cf5ddb0b7a9305789d61eddd7456601812676c802a4f443f5994cfe559248c0c657c75a9b1aece631cd
-
Filesize
5.2MB
MD5eddb129c4b842006c3a8b88e11d642c0
SHA145ff5d3d117dface3e9cba8ae103c449213ca614
SHA2569004f1d242a610b8c414a04d3944ec0366a419e92aa02e7e014723cd2bf1b8a3
SHA51244eee13fdaea26eaa0bf478ce443df4800bde0333ba9509a25e5ed303b83ac76d002e3d21a299771de229e8d64ee3727d4e2747400aea17d665271d936adfdda
-
Filesize
5.2MB
MD5152588cdc7b410d3442ceab6da55d4d2
SHA1a3c33e9bdacf550a1e90f38cc818100b98bd24d8
SHA2569e308d19e3a076599fc31c9777af4d34152288976aa140437252b212341b1dfd
SHA5121583699ac0d397df83d4d7808c99837ddd92a0508e0b188163b2f61b3cd32ca8b3e9c1293f4afd991f8808b02e3b2a766f339c2b1f31a57feeb8ed2724ddd7b0
-
Filesize
5.2MB
MD5b7c225e7ffa238df06976e7b2cbc57fa
SHA18e0a04ee101395d214b75a17039c6d8f02afd946
SHA256a9eada948e88b64f9f85f15fbc473bcb665bbc974338f52fb43356d76d26a7d2
SHA51293ff1a6003e972ff34029b82fef50eb1d333eed70d18320df9e2f3a42866e8d7799e505ab625ad8df227ae000387c1e0733a3c7de98573d48385c2e15031d997
-
Filesize
5.2MB
MD5321501bb866e2e3015d425f68b39de76
SHA1722364f6ec77c561577e684d2fc98bc19a0095c5
SHA256b901516b517f73f985816da115ba1222819012f6081bfe49e35e15923486ef18
SHA51205568ead2302d363edbce7f713b8061aaab64f0b0da917115bf30c38c7b255705468e5ebf59f56af1511b26f5435604a316fa1af6af1efbbf4a937ceabe738b4
-
Filesize
5.2MB
MD5292d60507b52e606338a170c24660e16
SHA1105cefc363f7d5f7b88367a6d7bec94e72f5e5ab
SHA25689bd02aba99ff6036d98ed1b17113434003ebb68401ce7cb18b0e48d141e9d5e
SHA512a08beac9379dff1d919232bc1d9552ba5848faabb42a5cc297e1d97b7fdbb8317a370a688b8d80df9d00c85e36056be00c1eb6fd264803f5bc1b1895b45f5a7f
-
Filesize
5.2MB
MD55f45f0635dbd2c8ec8a3ce10df42c041
SHA16e81e603071c85da9bed79737f727c79eaaadbee
SHA2560744ab2a61a8aa45f5d6a4410b470f74f506d394778aef5c79ab01cf6e74a7a4
SHA5120d5533651898b62dba26b019d36e0c79b311f432ec36f5aea90c4f5e86a89f2eaf9d1d16da3b1aa9f5ea8e3ee5df864e683f2ede9d562d9e0df91996615393c7
-
Filesize
5.2MB
MD5539a43a8c1c3e73d0a72bdb72f411a67
SHA165d7a4037df051d6b6472c948a0e3942fee1327d
SHA256820e70edf39c6371279d9f7900714741893bc5417b5ef8047c79ec4d552eabe2
SHA5122e095c057e7c61dae7d73eac4dcfd37de92bee8e564c50bda729341a4f5eda87e1cbadb9fe5d3429194bfefe9d38ed7fcb028d5a617f81a50c0594faf46929c2
-
Filesize
5.2MB
MD53dd90be279f72ce5e8d10cb80c43d008
SHA1d427eae5abe2e159c090bb2d9a328ae7728ab3a7
SHA256cc03a1f3f8b19899805781601c90133eabd99f65b78165702168888509f8b2db
SHA51289cdc96661ef8c550cac048851e4b872f0b2fd478b764120a847d15e4882bc70ea2b3671133b889aaf571a79de03254a2716953421604587136b3cc8ebe7b7e4
-
Filesize
5.2MB
MD5eecb0a3c8dea7b6f2f5213dec172cac8
SHA1e9e5bc862b3749005e0cded2926d512dbab91bfd
SHA25640fe54d5bf5144dfb7df5df4d3b80d520996670cb4c2ac1ee2ef0cc0321597d7
SHA5123327dcf3287ec1d5bcacfd73820fbb75b93c0fbea8d4f571201d875431dfc47f4d021655106f06367cbd3eb31dfacec4d2722ab7d83cdd9fcabf6dabcf4db8ae
-
Filesize
5.2MB
MD5ea5fa20b9bb535b2a1ec28d7462f33ed
SHA18302b9defeb873a6b151641dc05d19a9e96721cb
SHA256050d919c678f2cc002b903714fc485e0dbf8f9081c6685bada501cf035cbb806
SHA5129af4d81e0e777c2466769adb6325a9ae73dadf458cbfa9699afe5940e020c36227e67f7ace93efe7af4c2c3f4c479421ce02904150547e0614126ce54ee42626
-
Filesize
5.2MB
MD54a484de16645798adfae0d80347dc6fc
SHA1ad635f89f5b19ab74ac4a0678aac219f4a879b50
SHA2562784f28e51f822c7cc5ca786c30a784ffc698cf0c54696c618983242572d692d
SHA512a9bba846db427328ae002324762118308f19a8170b1863518e1d2e717f07f51065378f8394302b107b99b9f48550b8e5b5f9527a451c7d1f8f755a9912eec311
-
Filesize
5.2MB
MD5bdfd76764c712e150dac4b83fdeca01a
SHA1936ec789dd1b18493b80a4653c644bd83a6d972c
SHA2566d867c6e734bc0b02f7777dd4186a96e401c2e33689976badf8d67b2796b7899
SHA512d220b4c598c8ba0f14a2855f19a48047e3fbf1e68a6c5957378b167758f83c6bafca90afb9af4fd49c49c2d2ad420ad75e8bb538f8e311f76bbcf2f1e8d62a53
-
Filesize
5.2MB
MD576fb4f3196f691016e0d4f6d6135c5d2
SHA1df75f2495a0f57e89b7ec8bacc8764b44795ae70
SHA2562d781ae7ada246848cac1ab6074e538b9e132b5991a16b161c83164864d5adb2
SHA512e8fe36ab3965e076b9d60e4f452b9b9398031a3eaefed80744bfc150cb88ab1185d8a79ebeba70b21052dfcf06dabaa27b5a1e666aa587c046e3f35d30edd083
-
Filesize
5.2MB
MD5396790cf6aae605cccd7388d93f93923
SHA1b804bdc336f465f89ff775ec9d4699c11b601fac
SHA2568a1e0726c37aa94c62aa223e9d5f776655b5c9fb3b1d6774ffd37a23516c26fc
SHA5120edcc7285de43eaa224310815cacc4d7b3ce13cc708de1df65047418613ec02f68d6602c0e73ec9f15b6796a0b40e5ebfa6e6a37da72cb2ef81397dda31aa727
-
Filesize
5.2MB
MD54ba68bef6827baf0fbc358c7f2712885
SHA114e53aa8a955f7cbc9a419da300224b0b7ffc04d
SHA256e412e713d90dbed4211bfeca7f21db898256b7cd66711093554ef60f46e4383a
SHA51266f9face5fd016f5f9455cf6e914ea0688e2001a55c39befa58e964ba49e587b1be62a842125135178923797568bc544873851588cb4141e63854c3dcb21ad2f