7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d

General

Target

7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe
Size

910KB
MD5

90e425380cdd0184c50f30c9f06af217
SHA1

2e2c7e0c80c7b05262822e1f1362d14c46eb5dc0
SHA256

7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d
SHA512

a1b1c6df4b5cdf7abb4a3fde6cc97a0bbce5cb06331eb02fa78e482181703a7bc3049ac8d520606ffe2aa9e045bb3633215d5f5e8a747fa035e1b4c116676365
SSDEEP

12288:85STYf+qnR7Fkxh7dG1lFlWcYT70pxnnaaoawASIh4BBpGmrZNrI0AilFEvxHvBI:ohg4MROxnFp/iHrZlI0AilFEvxHidj

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2172	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2172	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2740	2172	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe	30
PID 2172 wrote to memory of 2740	2172	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe	30
PID 2172 wrote to memory of 2740	2172	7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe	30
PID 2740 wrote to memory of 2360	2740	csc.exe	32
PID 2740 wrote to memory of 2360	2740	csc.exe	32
PID 2740 wrote to memory of 2360	2740	csc.exe	32

C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe
"C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rz9xebk0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C64.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5C63.tmp"
    3⤵
    PID:2360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5C64.tmp

Filesize
1KB

MD5
fcd5110d4e40f699f9440f1e987d6f13

SHA1
ae6f81d2639cf8470d31cfe03908eb2128a2de5e

SHA256
3fe2e9be89755fb9083835b8693be639c9d90e0ddb968ad846674da561e0de4b

SHA512
44b907508cc2294f5dd5cbe793781c3e6e5c3a2a6e54e767e1a9065215236b37929aedda7652fd1bb285d56469368e22347461b64780dbdbb67a686b4ba703a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rz9xebk0.dll

Filesize
76KB

MD5
58725cd9b51849d7e54f43aaeebc1ed6

SHA1
762487d310ef39283f046476fb790a63e3a51fff

SHA256
1879d4323e42af123960a2c8fa54d3413fe9784c663a9e254db97734a0767d47

SHA512
f560686e3019bc81c67970573bf4d75592e258e30cffbd2d2077556eef66fe6d8fe946cb65406665097a6690ec598b59a9fb724a030a889c33b82f89b2cfac6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5C63.tmp

Filesize
676B

MD5
c71cd9e1ada3ca668494128cf75b235f

SHA1
858ee8c44104aefa3249084a45ffda8858dc6939

SHA256
97a3d6c6ce376cecd967c03b89efeda0ecfe479429dd6b3ee68b0b692796b0b5

SHA512
31f0fd7d953589255bdd9a131944bd0659f8dcb743648e29a1bb7518e20cac125c5269a5fa57f7b36676fd37afa1887489d34cb098da0d2abc89a604dc2834df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rz9xebk0.0.cs

Filesize
208KB

MD5
6011503497b1b9250a05debf9690e52c

SHA1
897aea61e9bffc82d7031f1b3da12fb83efc6d82

SHA256
08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434

SHA512
604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rz9xebk0.cmdline

Filesize
349B

MD5
dd9ef1fb0f914a7df41aa21ba43d2818

SHA1
0277d07bb02fd13b4e3d46cd98f02c34baea89dc

SHA256
d167271c8fb1ff361bfc5f0cfb5e4f4ac290c3142eb74c568cdbbb2cee49c6d2

SHA512
b73fd6afcaebd2dcc66f8837eaedb503fbe2eec982aa99beb832391f0f9cd2d78d7e41de5053ecf72d9dae278c2c841156e84773f8b9fe4e89425a915368cb58

Download Submit
memory/2172-23-0x000000001B010000-0x000000001B028000-memory.dmp

Filesize
96KB

Download
memory/2172-2-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2172-27-0x000007FEF653E000-0x000007FEF653F000-memory.dmp

Filesize
4KB

Download
memory/2172-3-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2172-1-0x000000001AE70000-0x000000001AECC000-memory.dmp

Filesize
368KB

Download
memory/2172-26-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2172-19-0x0000000002270000-0x0000000002286000-memory.dmp

Filesize
88KB

Download
memory/2172-4-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2172-21-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2172-22-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2172-0-0x000007FEF653E000-0x000007FEF653F000-memory.dmp

Filesize
4KB

Download
memory/2172-24-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2172-25-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-17-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-10-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing