8bd0c2de7af721194571df16912e01228e4e1d2a2f26470d7947f231c05b4269

Resubmissions

02-11-2020 09:24

201102-7dbe5bltjn 10

02-11-2020 08:10

201102-3my475sppj 8

Analysis

max time kernel
134s
max time network
113s
platform
windows10_x64
resource
win10v20201028
submitted
02-11-2020 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe
Size

134KB
MD5

0a0b0ac20e9fe72753e74def1e37724f
SHA1

fd683b33ee10ba92e485f76fbad9b48a2e697358
SHA256

ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f
SHA512

3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

VNrzmQbEnlan.exepAFPXkPEllan.exefiIzDXAhilan.exe

pid process

2296 VNrzmQbEnlan.exe
564 pAFPXkPEllan.exe
2060 fiIzDXAhilan.exe

pid	process
2296	VNrzmQbEnlan.exe
564	pAFPXkPEllan.exe
2060	fiIzDXAhilan.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe

description	pid	process	target process
PID 4076 wrote to memory of 2296	4076	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	VNrzmQbEnlan.exe
PID 4076 wrote to memory of 2296	4076	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	VNrzmQbEnlan.exe
PID 4076 wrote to memory of 2296	4076	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	VNrzmQbEnlan.exe
PID 4076 wrote to memory of 564	4076	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	pAFPXkPEllan.exe
PID 4076 wrote to memory of 564	4076	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	pAFPXkPEllan.exe
PID 4076 wrote to memory of 564	4076	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	pAFPXkPEllan.exe
PID 4076 wrote to memory of 2060	4076	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	fiIzDXAhilan.exe
PID 4076 wrote to memory of 2060	4076	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	fiIzDXAhilan.exe
PID 4076 wrote to memory of 2060	4076	ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe	fiIzDXAhilan.exe

C:\Users\Admin\AppData\Local\Temp\ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe
"C:\Users\Admin\AppData\Local\Temp\ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\VNrzmQbEnlan.exe
"C:\Users\Admin\AppData\Local\Temp\VNrzmQbEnlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2296

C:\Users\Admin\AppData\Local\Temp\pAFPXkPEllan.exe
"C:\Users\Admin\AppData\Local\Temp\pAFPXkPEllan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:564

C:\Users\Admin\AppData\Local\Temp\fiIzDXAhilan.exe
"C:\Users\Admin\AppData\Local\Temp\fiIzDXAhilan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VNrzmQbEnlan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
C:\Users\Admin\AppData\Local\Temp\VNrzmQbEnlan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
C:\Users\Admin\AppData\Local\Temp\fiIzDXAhilan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
C:\Users\Admin\AppData\Local\Temp\fiIzDXAhilan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAFPXkPEllan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAFPXkPEllan.exe

MD5
0a0b0ac20e9fe72753e74def1e37724f

SHA1
fd683b33ee10ba92e485f76fbad9b48a2e697358

SHA256
ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

SHA512
3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

Download Submit
memory/564-3-0x0000000000000000-mapping.dmp

Download
memory/2060-6-0x0000000000000000-mapping.dmp

Download
memory/2296-0-0x0000000000000000-mapping.dmp

Download