422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010

Analysis

Target

422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.exe
Size

2.3MB
MD5

8642406e609c7d9cd085d69862c2d4c3
SHA1

60e7c3172025a993882d6b180d4b74f3287893ef
SHA256

422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010
SHA512

c6d357bbb69379990fa31ec8a958ec5a5cb8b0f80870e72fc67e06049975bde3f998fae22e7ae9974cbbf53a56e6129bb8b6e4db5459028e7327ee238e277d82

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
2364	422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.tmp

Loads dropped DLL 3 IoCs

pid	Process
2364	422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.tmp
2364	422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.tmp
2364	422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2364	422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2364	2056	422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.exe	70
PID 2056 wrote to memory of 2364	2056	422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.exe	70
PID 2056 wrote to memory of 2364	2056	422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.exe	70

C:\Users\Admin\AppData\Local\Temp\422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.exe
"C:\Users\Admin\AppData\Local\Temp\422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\is-FVQ86.tmp\422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FVQ86.tmp\422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.tmp" /SL5="$7007A,1569491,780800,C:\Users\Admin\AppData\Local\Temp\422fc326d35abe98438c2fd8418d134ddb3fb20bc54c62486f9b963cda3d5010_422fc326d35abe98438c2fd8418d134ddb3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2364

memory/2056-116-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2364-119-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2364-123-0x0000000004C80000-0x0000000004C8F000-memory.dmp

Filesize
60KB

Download