7654394bbdcc63d7ce5b825a87370e66d098e195af7b40abab5188744f94ac6e

General

Target

versioncheck.exe
Size

1.3MB
MD5

c21e7fe8f255944c34ff7833a6c9b223
SHA1

3c56fde8d279e0c545cd940c57700372ceeb1828
SHA256

7654394bbdcc63d7ce5b825a87370e66d098e195af7b40abab5188744f94ac6e
SHA512

28fde4d35f96e9475e09ba883d1bcfb6fa18a59b9b8f213c8866a73d997b6a0fe2d5b57bacf1da6d715238f8949d97209f07d584464125c753b1efa614454002

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

versioncheck.exenotepad.exe

pid	process
1944	versioncheck.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe

Suspicious behavior: MapViewOfSection 38 IoCs

Processes:

notepad.exe

pid	process
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe
836	notepad.exe

Suspicious use of WriteProcessMemory 453 IoCs

Processes:

versioncheck.exenotepad.exe

description	pid	process	target process
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 1944 wrote to memory of 836	1944	versioncheck.exe	notepad.exe
PID 836 wrote to memory of 888	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 888	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 888	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 888	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 888	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 888	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 888	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 888	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 888	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 888	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 888	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 1924	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 1924	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 1924	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 1924	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 1924	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 1924	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 1924	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 1924	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 1924	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 1924	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 1924	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 808	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 808	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 808	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 808	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 808	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 808	836	notepad.exe	cmd.exe
PID 836 wrote to memory of 808	836	notepad.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\versioncheck.exe
"C:\Users\Admin\AppData\Local\Temp\versioncheck.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1396

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1900

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:648

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1908

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1620

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1920

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1628

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1576

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1580

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1096

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1556

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:564

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1648

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1992

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1300

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:536

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1128

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1092

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:528

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:744

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1552

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1724

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1720

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1080

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1820

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1892

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1612

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1804

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:756

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1000

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:568

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:764

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:324

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads