Vr.rar

General
Target

0x000100000001ab9c-70.exe

Filesize

977KB

Completed

25-11-2020 10:47

Score
8 /10
MD5

5c6684e8c2b678de9e2776c6b50ddd72

SHA1

7d255100d811de745e6ee908d1e0f8ba4ff21add

SHA256

bb5d2c07ce902c78227325bf5f336c04335874445fc0635a6b67ae5ba9d2fefc

Malware Config
Signatures 4

Filter: none

  • Executes dropped EXE
    0x000100000001ab9c-70.tmp

    Reported IOCs

    pidprocess
    19120x000100000001ab9c-70.tmp
  • Loads dropped DLL
    0x000100000001ab9c-70.exe

    Reported IOCs

    pidprocess
    17320x000100000001ab9c-70.exe
  • Suspicious behavior: GetForegroundWindowSpam
    0x000100000001ab9c-70.tmp

    Reported IOCs

    pidprocess
    19120x000100000001ab9c-70.tmp
  • Suspicious use of WriteProcessMemory
    0x000100000001ab9c-70.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1732 wrote to memory of 191217320x000100000001ab9c-70.exe0x000100000001ab9c-70.tmp
    PID 1732 wrote to memory of 191217320x000100000001ab9c-70.exe0x000100000001ab9c-70.tmp
    PID 1732 wrote to memory of 191217320x000100000001ab9c-70.exe0x000100000001ab9c-70.tmp
    PID 1732 wrote to memory of 191217320x000100000001ab9c-70.exe0x000100000001ab9c-70.tmp
    PID 1732 wrote to memory of 191217320x000100000001ab9c-70.exe0x000100000001ab9c-70.tmp
    PID 1732 wrote to memory of 191217320x000100000001ab9c-70.exe0x000100000001ab9c-70.tmp
    PID 1732 wrote to memory of 191217320x000100000001ab9c-70.exe0x000100000001ab9c-70.tmp
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\0x000100000001ab9c-70.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000100000001ab9c-70.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\is-NP8CK.tmp\0x000100000001ab9c-70.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NP8CK.tmp\0x000100000001ab9c-70.tmp" /SL5="$50152,748569,121344,C:\Users\Admin\AppData\Local\Temp\0x000100000001ab9c-70.exe"
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:1912
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • C:\Users\Admin\AppData\Local\Temp\is-NP8CK.tmp\0x000100000001ab9c-70.tmp

                            MD5

                            1a8ac942e4c2302d349caaed9943360d

                            SHA1

                            a08ce743c3d90a2b713db3e58e747e7a00a32590

                            SHA256

                            db8341fc8e86f7b80fbe144aa9ceea3e3369b64dcd5998c5a7f186c304cfeb96

                            SHA512

                            d65e4f9846bb6fba5a8b4f9409b2576af041dfa9b453800c298ec810bd27cfcf28d1933bc79893aa79323654ab4b85e321b03eaf17d67f0e19c79749751e4aab

                          • \Users\Admin\AppData\Local\Temp\is-NP8CK.tmp\0x000100000001ab9c-70.tmp

                            MD5

                            1a8ac942e4c2302d349caaed9943360d

                            SHA1

                            a08ce743c3d90a2b713db3e58e747e7a00a32590

                            SHA256

                            db8341fc8e86f7b80fbe144aa9ceea3e3369b64dcd5998c5a7f186c304cfeb96

                            SHA512

                            d65e4f9846bb6fba5a8b4f9409b2576af041dfa9b453800c298ec810bd27cfcf28d1933bc79893aa79323654ab4b85e321b03eaf17d67f0e19c79749751e4aab

                          • memory/1912-1-0x0000000000000000-mapping.dmp