613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730

General

Target

613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
Size

398KB
MD5

0b93d99536f34ecc70992c38be7aaef0
SHA1

1c335773eaaefedd00fe78f4cfb734c8cbbfbff9
SHA256

613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730
SHA512

3fcd9a17710e6d14042b66ca8b0e098fa04c38ec17f231335034e5b4d53849afaad061fe8a802f4aa1888043ec1491f5ef906082be7518f7263f664759755205
SSDEEP

12288:qvqlqSrzEAupLiPuSrN0VMazGjXytzl0RbfpwSD:wsqSroAupL8uSrOVMPyudHD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
940	mscorsvw.exe
604	mscorsvw.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1392	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1392	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
1392	613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe

C:\Users\Admin\AppData\Local\Temp\613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe
"C:\Users\Admin\AppData\Local\Temp\613b5396ba3ad400a557af19aa2d763a80f7b53546ae344904b2c9b12f08d730.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:604

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:1348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
28KB

MD5
e23d2cae31795ad4102cafa760f67454

SHA1
e17e792b3ed73c89a09b7618a5c3c70d2dc3f4e1

SHA256
450c0eb2ee4b31dc26352769ba44dc94e518bf092161633aa2c281804ce29672

SHA512
46884bbc6a910886c44a698a2a2d420533d03a3da8fefad156b49478d84dd284042b74ac5766dad523a5ea10a0dc6d2f26ce7aae4be03c5977eb63dacf01f857

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
31KB

MD5
a5a4eb70035299ab8f5c38522d9b1163

SHA1
1daa2d226744ccc783bce6f9cd227f114d719625

SHA256
98c53307b336ce8a4d9f24666ecac4110121dca7d5e18d44e3171c8cfecf1637

SHA512
e332a23f08ca8c15575f2859dee69fad320809adfb78fe132f25d0d33c7f643a42810c81e7735facc39a5210af5da1c20cfb72c978411d15cb0f72456a62132c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
12KB

MD5
7ac45d61650d69c6879fb21271541cf0

SHA1
32544350ab34d49fb2726ff088040d3738b189dd

SHA256
c3719946b1378816f0ec2f38e56a15c4473215d2e829d8710d14208f19ca506c

SHA512
fdab2d9705e45f2e33e18156d4f0e7f81f51598208ff0252875abbf19ae2ea351887a5976d45b12c302fa2c1a379bf3b785656d215069db6e79f2dda3aaf4053

Download Submit
memory/604-61-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/940-59-0x0000000010000000-0x000000001008C000-memory.dmp

Filesize
560KB

Download
memory/1392-54-0x0000000001000000-0x00000000010B1000-memory.dmp

Filesize
708KB

Download
memory/1392-55-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1392-56-0x0000000001000000-0x00000000010B1000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing