77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f

General

Target

77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe
Size

22KB
MD5

5398dec8a7f56e001869dfa3acf64de0
SHA1

434c2834db73043445f6e7df1bbd084ce3bdbbd6
SHA256

77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f
SHA512

24891dec9ed7c4af6b323125d70d6679d8bcf7b14bc0ce0a864f6317b0998894e951ac07eb5c9af74bc426a0f5e37034c65f8f3962a2afeffa28d7943a2e78ce
SSDEEP

384:PGCSeWyRaH6dJ09myKovqdxIKPNGB8Pi+orNTbt:eycadJnyC4GNGqa+orNTb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
956	livrew.exe
1604	livrew.exe

Deletes itself 1 IoCs

pid	Process
1604	livrew.exe

Loads dropped DLL 2 IoCs

pid	Process
908	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe
956	livrew.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 908	1832	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	28
PID 956 set thread context of 1604	956	livrew.exe	30

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 908	1832	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	28
PID 1832 wrote to memory of 908	1832	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	28
PID 1832 wrote to memory of 908	1832	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	28
PID 1832 wrote to memory of 908	1832	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	28
PID 1832 wrote to memory of 908	1832	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	28
PID 1832 wrote to memory of 908	1832	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	28
PID 1832 wrote to memory of 908	1832	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	28
PID 1832 wrote to memory of 908	1832	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	28
PID 908 wrote to memory of 956	908	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	29
PID 908 wrote to memory of 956	908	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	29
PID 908 wrote to memory of 956	908	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	29
PID 908 wrote to memory of 956	908	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	29
PID 956 wrote to memory of 1604	956	livrew.exe	30
PID 956 wrote to memory of 1604	956	livrew.exe	30
PID 956 wrote to memory of 1604	956	livrew.exe	30
PID 956 wrote to memory of 1604	956	livrew.exe	30
PID 956 wrote to memory of 1604	956	livrew.exe	30
PID 956 wrote to memory of 1604	956	livrew.exe	30
PID 956 wrote to memory of 1604	956	livrew.exe	30
PID 956 wrote to memory of 1604	956	livrew.exe	30

C:\Users\Admin\AppData\Local\Temp\77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe
"C:\Users\Admin\AppData\Local\Temp\77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe
  "C:\Users\Admin\AppData\Local\Temp\77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Users\Admin\AppData\Local\Temp\livrew.exe
    C:\Users\Admin\AppData\Local\Temp\livrew.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\livrew.exe
      C:\Users\Admin\AppData\Local\Temp\livrew.exe
      4⤵
      Executes dropped EXE
      Deletes itself
      PID:1604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\liva8BA5.log

Filesize
206B

MD5
2a59c56692c87ed0a4215073ab689ac3

SHA1
f3571ec85c5c842eb2bd44d09d3a075918f53273

SHA256
f8341709b7bad1afb44c2160eda6a751cd3953cd9131f92993e3be6a0463c67d

SHA512
cde71da9d17fd3f8fbe90b8e731e5461d4837f18c7eb095d70060cb0ab3922daad4ec268e69e72d2e5f33c4cdcbc4a9d945d4e418150d69ab8bcdf61d253f03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\livrew.exe

Filesize
22KB

MD5
5398dec8a7f56e001869dfa3acf64de0

SHA1
434c2834db73043445f6e7df1bbd084ce3bdbbd6

SHA256
77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f

SHA512
24891dec9ed7c4af6b323125d70d6679d8bcf7b14bc0ce0a864f6317b0998894e951ac07eb5c9af74bc426a0f5e37034c65f8f3962a2afeffa28d7943a2e78ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\livrew.exe

Filesize
22KB

MD5
5398dec8a7f56e001869dfa3acf64de0

SHA1
434c2834db73043445f6e7df1bbd084ce3bdbbd6

SHA256
77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f

SHA512
24891dec9ed7c4af6b323125d70d6679d8bcf7b14bc0ce0a864f6317b0998894e951ac07eb5c9af74bc426a0f5e37034c65f8f3962a2afeffa28d7943a2e78ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\livrew.exe

Filesize
22KB

MD5
5398dec8a7f56e001869dfa3acf64de0

SHA1
434c2834db73043445f6e7df1bbd084ce3bdbbd6

SHA256
77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f

SHA512
24891dec9ed7c4af6b323125d70d6679d8bcf7b14bc0ce0a864f6317b0998894e951ac07eb5c9af74bc426a0f5e37034c65f8f3962a2afeffa28d7943a2e78ce

Download Submit
\Users\Admin\AppData\Local\Temp\livrew.exe

Filesize
22KB

MD5
5398dec8a7f56e001869dfa3acf64de0

SHA1
434c2834db73043445f6e7df1bbd084ce3bdbbd6

SHA256
77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f

SHA512
24891dec9ed7c4af6b323125d70d6679d8bcf7b14bc0ce0a864f6317b0998894e951ac07eb5c9af74bc426a0f5e37034c65f8f3962a2afeffa28d7943a2e78ce

Download Submit
\Users\Admin\AppData\Local\Temp\livrew.exe

Filesize
22KB

MD5
5398dec8a7f56e001869dfa3acf64de0

SHA1
434c2834db73043445f6e7df1bbd084ce3bdbbd6

SHA256
77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f

SHA512
24891dec9ed7c4af6b323125d70d6679d8bcf7b14bc0ce0a864f6317b0998894e951ac07eb5c9af74bc426a0f5e37034c65f8f3962a2afeffa28d7943a2e78ce

Download Submit
memory/908-54-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/908-57-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/908-56-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing