decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf

General

Target

decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf.exe
Size

135KB
MD5

806df14479c3194d5ae468314d1339c3
SHA1

0e1d9e991eef38e09f9ff33f81cc0652023e6658
SHA256

decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf
SHA512

bac8c37094133e38b72f7c74ffbe074e4d1c9e3ae17dfefb7dd715416466994fa9499df4d1f3f1ff4a2cc808daf8eb9f83963a3bfd211b152e66a0dd85c5a92e
SSDEEP

3072:WvVsfbzqhQeQ+j7Gq/te/QWymCw7ZzS4SzVxFKYg+YGfout:W9oP1eFj7o1ZWTzVxY+xoS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1344	msprxysvc32.exe

Deletes itself 1 IoCs

pid	Process
1344	msprxysvc32.exe

Loads dropped DLL 2 IoCs

pid	Process
1424	decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf.exe
1424	decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msprxysvc32.exe	decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf.exe
File opened for modification	C:\Windows\SysWOW64\msprxysvc32.exe	decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf.exe
File opened for modification	C:\Windows\SysWOW64\msprxysvc32.exe	msprxysvc32.exe
File created	C:\Windows\SysWOW64\msprxysvc32.exe	msprxysvc32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1344	1424	decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf.exe	26
PID 1424 wrote to memory of 1344	1424	decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf.exe	26
PID 1424 wrote to memory of 1344	1424	decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf.exe	26
PID 1424 wrote to memory of 1344	1424	decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf.exe	26
PID 1344 wrote to memory of 956	1344	msprxysvc32.exe	27
PID 1344 wrote to memory of 956	1344	msprxysvc32.exe	27
PID 1344 wrote to memory of 956	1344	msprxysvc32.exe	27
PID 1344 wrote to memory of 956	1344	msprxysvc32.exe	27

C:\Users\Admin\AppData\Local\Temp\decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf.exe
"C:\Users\Admin\AppData\Local\Temp\decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\msprxysvc32.exe
  C:\Windows\system32\msprxysvc32.exe 472 "C:\Users\Admin\AppData\Local\Temp\decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat C:\Windows\SysWOW64\msprxysvc32.exe
    3⤵
    PID:956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
136B

MD5
bfcf9cc6d1c37953dfa43312e2c36140

SHA1
07a4c0f29b282c34be24c312c4b920e479f4cee0

SHA256
bac7cce52aeba3a2e2ce2bb6aebf50ffa65530d0d51ca49a2abc7f4e43ce3ce5

SHA512
fb661474557e7168d4050607863b57649fa12a26ab9bd06078ae3254d003d76cfed4eac3d0a78a56eaf0ecc5b231d52788b6c8688cb14b0c86a37efe90f5f53a

Download Submit
C:\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
806df14479c3194d5ae468314d1339c3

SHA1
0e1d9e991eef38e09f9ff33f81cc0652023e6658

SHA256
decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf

SHA512
bac8c37094133e38b72f7c74ffbe074e4d1c9e3ae17dfefb7dd715416466994fa9499df4d1f3f1ff4a2cc808daf8eb9f83963a3bfd211b152e66a0dd85c5a92e

Download Submit
C:\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
806df14479c3194d5ae468314d1339c3

SHA1
0e1d9e991eef38e09f9ff33f81cc0652023e6658

SHA256
decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf

SHA512
bac8c37094133e38b72f7c74ffbe074e4d1c9e3ae17dfefb7dd715416466994fa9499df4d1f3f1ff4a2cc808daf8eb9f83963a3bfd211b152e66a0dd85c5a92e

Download Submit
\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
806df14479c3194d5ae468314d1339c3

SHA1
0e1d9e991eef38e09f9ff33f81cc0652023e6658

SHA256
decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf

SHA512
bac8c37094133e38b72f7c74ffbe074e4d1c9e3ae17dfefb7dd715416466994fa9499df4d1f3f1ff4a2cc808daf8eb9f83963a3bfd211b152e66a0dd85c5a92e

Download Submit
\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
806df14479c3194d5ae468314d1339c3

SHA1
0e1d9e991eef38e09f9ff33f81cc0652023e6658

SHA256
decb178714d9ed8662733f21374af19d03cd6881350b9e53cb5d5ed9228329cf

SHA512
bac8c37094133e38b72f7c74ffbe074e4d1c9e3ae17dfefb7dd715416466994fa9499df4d1f3f1ff4a2cc808daf8eb9f83963a3bfd211b152e66a0dd85c5a92e

Download Submit
memory/1344-62-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1344-66-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1424-61-0x0000000001ED0000-0x0000000001F6F000-memory.dmp

Filesize
636KB

Download
memory/1424-63-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1424-54-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1424-55-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads