01a4fb177e04eeee392afbe6a73a681c3f77f095e862bbc03be3c70acab1f5c3 | Triage

Resubmissions

14-02-2020 04:54

200214-arrdppabj2 8

14-02-2020 04:43

200214-3bsz8edw7x 8

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v191014
submitted
14-02-2020 04:43

Sharing

General

Target

salesforce_report.exe
Size

726KB
MD5

3e0aff10a361a752ab160228410f2432
SHA1

1a9f9ce853a9b9842baf7125021b5cc2e8be619e
SHA256

01a4fb177e04eeee392afbe6a73a681c3f77f095e862bbc03be3c70acab1f5c3
SHA512

a1c86b8214bd4761cdee8e2de2d08314966931c6dd00692c80ddda1ea3de701b913744b87a9bddd3ebc380b6ba8a7d5b07648b1c12b82223decca00a72ba6ca1

Score

8^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

salesforce_report.exe커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

pid process

5040 salesforce_report.exe
3976 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

salesforce_report.exe커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

description	pid	process	target process
PID 5040 wrote to memory of 3976	5040	salesforce_report.exe	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
PID 5040 wrote to memory of 3976	5040	salesforce_report.exe	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
PID 5040 wrote to memory of 3976	5040	salesforce_report.exe	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
PID 3976 wrote to memory of 4988	3976	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe	svchost.exe
PID 3976 wrote to memory of 4988	3976	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe	svchost.exe
PID 3976 wrote to memory of 4988	3976	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe	svchost.exe
PID 3976 wrote to memory of 4988	3976	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

pid process

3976 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

C:\Users\Admin\AppData\Local\Temp\salesforce_report.exe
"C:\Users\Admin\AppData\Local\Temp\salesforce_report.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040

C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
"C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:3976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

Download Submit
C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

Download Submit
memory/3976-3-0x00000000007E0000-0x0000000000814000-memory.dmp

Filesize
208KB

Download
memory/3976-4-0x0000000002270000-0x00000000022A1000-memory.dmp

Filesize
196KB

Download
memory/5040-0-0x0000000002410000-0x0000000002444000-memory.dmp

Filesize
208KB

Download