a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27/10/2022, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.exe
Size

10.5MB
MD5

4baa5959bd8953c018156b49d8e2d805
SHA1

4011d3dc2a9c85619f3eac8a93cbcd7d9d3a1b26
SHA256

a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9
SHA512

6a8e0cebc0c35ed05ef5dc9e7b8ea44136e718b8c6bbf0ff7763be29fb411cf3af569b5eb3a02ab54c55ccbb0fb0d2695360bfc7cae3618b996cb4e6227c889d
SSDEEP

196608:8qPnDq/Qil0TrtYZi7HlhCHjDpAJi7mHqlh+W3G6F3TqTeUiNxqK3sddXli:FLq476i2HjDpOi7GqlPZ3TqTgzXcPli

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1928	a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.tmp

Loads dropped DLL 4 IoCs

pid	Process
1444	a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.exe
1928	a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.tmp
1928	a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.tmp
1928	a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1928	a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.tmp
1928	a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.tmp
1928	a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1928	1444	a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.exe	27
PID 1444 wrote to memory of 1928	1444	a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.exe	27
PID 1444 wrote to memory of 1928	1444	a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.exe	27
PID 1444 wrote to memory of 1928	1444	a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.exe	27

C:\Users\Admin\AppData\Local\Temp\a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.exe
"C:\Users\Admin\AppData\Local\Temp\a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\is-AF46H.tmp\a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AF46H.tmp\a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.tmp" /SL5="$A0124,10706901,51712,C:\Users\Admin\AppData\Local\Temp\a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-AF46H.tmp\a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.tmp

Filesize
706KB

MD5
5d5ca7210bd22349185fd145d5991bbd

SHA1
d1780e68be3b4b5692589452e0a784e800432be4

SHA256
adecc4c37dafc8ec496aa1f1731feef62fae797aea8bb5e05d26c92ffc2c5d40

SHA512
caddc566ed30e8ee856cca4dd4df876c9bb81c57f128b02a90f96fbe37c747d62e0c0a92d94d7dd43ea80643658d8cb787c9e20df989cb4c2a731948d050101c

Download Submit
\Users\Admin\AppData\Local\Temp\is-AF46H.tmp\a01afce4ed3d8b49fac10a287c01762ae6921e89cb862477a169e6de1dca7af9.tmp

Filesize
706KB

MD5
5d5ca7210bd22349185fd145d5991bbd

SHA1
d1780e68be3b4b5692589452e0a784e800432be4

SHA256
adecc4c37dafc8ec496aa1f1731feef62fae797aea8bb5e05d26c92ffc2c5d40

SHA512
caddc566ed30e8ee856cca4dd4df876c9bb81c57f128b02a90f96fbe37c747d62e0c0a92d94d7dd43ea80643658d8cb787c9e20df989cb4c2a731948d050101c

Download Submit
\Users\Admin\AppData\Local\Temp\is-JI88R.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-JI88R.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-JI88R.tmp\psvince.dll

Filesize
36KB

MD5
a4e5c512b047a6d9dc38549161cac4de

SHA1
49d3e74f9604a6c61cda04ccc6d3cda87e280dfb

SHA256
c7f1e7e866834d9024f97c2b145c09d106e447e8abd65a10a1732116d178e44e

SHA512
2edb8a492b8369d56dda735a652c9e08539a5c4709a794efaff91adcae192a636d0545725af16cf8c31b275b34c2f19e4b019b57fb9050b99de65a4c08e3eee1

Download Submit
memory/1444-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1444-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1444-61-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download