cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4

General

Target

cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe
Size

411KB
MD5

43f00ac70907c2ae19ee0cfbc78d9467
SHA1

d6fe65fab71bae498b443d673db1609cc2d20ffe
SHA256

cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4
SHA512

b4f160de78b2091a945a7e0c5c4c602791c5548f01b9d7403fd861f642115892f08ca5fd78b15e54dc6e68764096185545a61de720a1b69c527c21a034ed5414
SSDEEP

12288:Lc//////1TKbAmQFC7Np/psw+w3bP/2YXkkYn2KQo+d0o:Lc//////1TY7Np/D+AbPRYz+dX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1204	dlaler.exe
1424	dlaler.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1724 set thread context of 936	1724	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	28
PID 1204 set thread context of 1424	1204	dlaler.exe	30

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\dlaler.exe	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe
File opened for modification	C:\Windows\dlaler.exe	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe
Token: SeDebugPrivilege	1424	dlaler.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1424	dlaler.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1424	dlaler.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 936	1724	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	28
PID 1724 wrote to memory of 936	1724	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	28
PID 1724 wrote to memory of 936	1724	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	28
PID 1724 wrote to memory of 936	1724	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	28
PID 1724 wrote to memory of 936	1724	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	28
PID 1724 wrote to memory of 936	1724	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	28
PID 936 wrote to memory of 1204	936	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	29
PID 936 wrote to memory of 1204	936	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	29
PID 936 wrote to memory of 1204	936	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	29
PID 936 wrote to memory of 1204	936	cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe	29
PID 1204 wrote to memory of 1424	1204	dlaler.exe	30
PID 1204 wrote to memory of 1424	1204	dlaler.exe	30
PID 1204 wrote to memory of 1424	1204	dlaler.exe	30
PID 1204 wrote to memory of 1424	1204	dlaler.exe	30
PID 1204 wrote to memory of 1424	1204	dlaler.exe	30
PID 1204 wrote to memory of 1424	1204	dlaler.exe	30

C:\Users\Admin\AppData\Local\Temp\cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe
"C:\Users\Admin\AppData\Local\Temp\cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe
  C:\Users\Admin\AppData\Local\Temp\cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\dlaler.exe
    C:\Windows\dlaler.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\dlaler.exe
      C:\Windows\dlaler.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\dlaler.exe

Filesize
411KB

MD5
43f00ac70907c2ae19ee0cfbc78d9467

SHA1
d6fe65fab71bae498b443d673db1609cc2d20ffe

SHA256
cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4

SHA512
b4f160de78b2091a945a7e0c5c4c602791c5548f01b9d7403fd861f642115892f08ca5fd78b15e54dc6e68764096185545a61de720a1b69c527c21a034ed5414

Download Submit
C:\Windows\dlaler.exe

Filesize
411KB

MD5
43f00ac70907c2ae19ee0cfbc78d9467

SHA1
d6fe65fab71bae498b443d673db1609cc2d20ffe

SHA256
cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4

SHA512
b4f160de78b2091a945a7e0c5c4c602791c5548f01b9d7403fd861f642115892f08ca5fd78b15e54dc6e68764096185545a61de720a1b69c527c21a034ed5414

Download Submit
C:\Windows\dlaler.exe

Filesize
411KB

MD5
43f00ac70907c2ae19ee0cfbc78d9467

SHA1
d6fe65fab71bae498b443d673db1609cc2d20ffe

SHA256
cfd74862afec79592186f82934d8d58837e67eea732b20e6e4547f41be6ec2a4

SHA512
b4f160de78b2091a945a7e0c5c4c602791c5548f01b9d7403fd861f642115892f08ca5fd78b15e54dc6e68764096185545a61de720a1b69c527c21a034ed5414

Download Submit
memory/936-58-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/936-59-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/936-60-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/936-54-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/936-56-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/936-70-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1424-72-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1424-73-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1424-74-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing