5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef

General

Target

5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef.exe
Size

135KB
MD5

937dd8d36b938807ad63002b81d0ba06
SHA1

c99369bcf91b6f519a2b954fa1d03b2d4e01b073
SHA256

5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef
SHA512

7da0457515e9499bc33834708543c6fda7f94bde1185631516f8d97d9f2762c2d7aa1e103090c8fda8ff008b1306d93a1d748e26d74362bf634a2f75975657ce
SSDEEP

3072:VgXmxHM6IVznr8F0rSJGRK3mfUA/Xw+w1b4lm4neqZfBNn0ZQyQIdout:VgXmdM6Ia0GJGgcvwt1bB8e0fBiZRndZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1716	msprxysvc32.exe

Deletes itself 1 IoCs

pid	Process
1716	msprxysvc32.exe

Loads dropped DLL 2 IoCs

pid	Process
688	5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef.exe
688	5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msprxysvc32.exe	5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef.exe
File opened for modification	C:\Windows\SysWOW64\msprxysvc32.exe	5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef.exe
File opened for modification	C:\Windows\SysWOW64\msprxysvc32.exe	msprxysvc32.exe
File created	C:\Windows\SysWOW64\msprxysvc32.exe	msprxysvc32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 1716	688	5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef.exe	28
PID 688 wrote to memory of 1716	688	5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef.exe	28
PID 688 wrote to memory of 1716	688	5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef.exe	28
PID 688 wrote to memory of 1716	688	5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef.exe	28
PID 1716 wrote to memory of 2012	1716	msprxysvc32.exe	29
PID 1716 wrote to memory of 2012	1716	msprxysvc32.exe	29
PID 1716 wrote to memory of 2012	1716	msprxysvc32.exe	29
PID 1716 wrote to memory of 2012	1716	msprxysvc32.exe	29

C:\Users\Admin\AppData\Local\Temp\5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef.exe
"C:\Users\Admin\AppData\Local\Temp\5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\SysWOW64\msprxysvc32.exe
  C:\Windows\system32\msprxysvc32.exe 556 "C:\Users\Admin\AppData\Local\Temp\5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat C:\Windows\SysWOW64\msprxysvc32.exe
    3⤵
    PID:2012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
136B

MD5
bfcf9cc6d1c37953dfa43312e2c36140

SHA1
07a4c0f29b282c34be24c312c4b920e479f4cee0

SHA256
bac7cce52aeba3a2e2ce2bb6aebf50ffa65530d0d51ca49a2abc7f4e43ce3ce5

SHA512
fb661474557e7168d4050607863b57649fa12a26ab9bd06078ae3254d003d76cfed4eac3d0a78a56eaf0ecc5b231d52788b6c8688cb14b0c86a37efe90f5f53a

Download Submit
C:\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
937dd8d36b938807ad63002b81d0ba06

SHA1
c99369bcf91b6f519a2b954fa1d03b2d4e01b073

SHA256
5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef

SHA512
7da0457515e9499bc33834708543c6fda7f94bde1185631516f8d97d9f2762c2d7aa1e103090c8fda8ff008b1306d93a1d748e26d74362bf634a2f75975657ce

Download Submit
C:\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
937dd8d36b938807ad63002b81d0ba06

SHA1
c99369bcf91b6f519a2b954fa1d03b2d4e01b073

SHA256
5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef

SHA512
7da0457515e9499bc33834708543c6fda7f94bde1185631516f8d97d9f2762c2d7aa1e103090c8fda8ff008b1306d93a1d748e26d74362bf634a2f75975657ce

Download Submit
\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
937dd8d36b938807ad63002b81d0ba06

SHA1
c99369bcf91b6f519a2b954fa1d03b2d4e01b073

SHA256
5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef

SHA512
7da0457515e9499bc33834708543c6fda7f94bde1185631516f8d97d9f2762c2d7aa1e103090c8fda8ff008b1306d93a1d748e26d74362bf634a2f75975657ce

Download Submit
\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
937dd8d36b938807ad63002b81d0ba06

SHA1
c99369bcf91b6f519a2b954fa1d03b2d4e01b073

SHA256
5ede3e36125f4f2f102259e38da313744391750553b2a8d61582130ab01010ef

SHA512
7da0457515e9499bc33834708543c6fda7f94bde1185631516f8d97d9f2762c2d7aa1e103090c8fda8ff008b1306d93a1d748e26d74362bf634a2f75975657ce

Download Submit
memory/688-60-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/688-61-0x00000000027B0000-0x000000000284F000-memory.dmp

Filesize
636KB

Download
memory/688-63-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/688-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1716-62-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1716-66-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads