879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a

General

Target

879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe
Size

1.8MB
MD5

5ba0e5344b203b7f9ac4e9bf0bbe060c
SHA1

d551975424fe578ff59a0e6e7da5495aed6982a7
SHA256

879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a
SHA512

a11043d878407404d20f13c087a9253a50097446c94c4e687d836f3688243bef57abf565601c0f360f9d394500486c6662038914fcccb50e6b484d225b103cef

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oKeuReKAhG.url	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe

description	pid	process	target process
PID 1268 set thread context of 768	1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe

pid	process
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe

pid process

1268 879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe

pid	process
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe

pid	process
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe
1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exeRegSvcs.exe

description	pid	process	target process
PID 1268 wrote to memory of 768	1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe	RegSvcs.exe
PID 1268 wrote to memory of 768	1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe	RegSvcs.exe
PID 1268 wrote to memory of 768	1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe	RegSvcs.exe
PID 1268 wrote to memory of 768	1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe	RegSvcs.exe
PID 1268 wrote to memory of 768	1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe	RegSvcs.exe
PID 1268 wrote to memory of 768	1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe	RegSvcs.exe
PID 1268 wrote to memory of 768	1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe	RegSvcs.exe
PID 1268 wrote to memory of 768	1268	879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe	RegSvcs.exe
PID 768 wrote to memory of 1460	768	RegSvcs.exe	dw20.exe
PID 768 wrote to memory of 1460	768	RegSvcs.exe	dw20.exe
PID 768 wrote to memory of 1460	768	RegSvcs.exe	dw20.exe
PID 768 wrote to memory of 1460	768	RegSvcs.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe
"C:\Users\Admin\AppData\Local\Temp\879353cf97b065067ca2a580ec846c70a54e613acffbd500a2df9fa55e7be42a.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 412
3⤵
PID:1460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/768-59-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/768-58-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/768-60-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/1268-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/1268-56-0x0000000000120000-0x0000000000123000-memory.dmp

Filesize
12KB

Download
memory/1460-62-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads