dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

Analysis

max time kernel
166s
max time network
181s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
Size

5.8MB
MD5

35ea7f963c3636976c14076c1456f788
SHA1

8ba14d9b6c4913ce5186bdd846845b6e195f4d38
SHA256

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141
SHA512

59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346
SSDEEP

98304:yrzp+tXXmA3sau3zzATVA4DNXINjAK3pSk5HifpZGakD5wpGbY+1Xyxq:wp+tXXBsau3sbNXINJ34k5YZGab+gq

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

explorer.exeiexplore.exeexplorer.exeiexplore.exe

pid process

1100 explorer.exe
996 iexplore.exe
328 explorer.exe
1048 iexplore.exe

pid	process
1100	explorer.exe
996	iexplore.exe
328	explorer.exe
1048	iexplore.exe

Loads dropped DLL 4 IoCs

Processes:

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exeexplorer.exeiexplore.exe

pid	process
624	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
624	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
1100	explorer.exe
996	iexplore.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exeexplorer.exeiexplore.exe

description	pid	process	target process
PID 1064 set thread context of 624	1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 1100 set thread context of 328	1100	explorer.exe	explorer.exe
PID 996 set thread context of 1048	996	iexplore.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exeexplorer.exeiexplore.exe

pid	process
624	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
624	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
328	explorer.exe
328	explorer.exe
328	explorer.exe
328	explorer.exe
1048	iexplore.exe
1048	iexplore.exe
1048	iexplore.exe
1048	iexplore.exe
328	explorer.exe
328	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exeexplorer.exeiexplore.exe

pid process

1064 dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
1100 explorer.exe
996 iexplore.exe

pid	process
1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
1100	explorer.exe
996	iexplore.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exedc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exeexplorer.exeiexplore.exeexplorer.exe

description	pid	process	target process
PID 1064 wrote to memory of 624	1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 1064 wrote to memory of 624	1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 1064 wrote to memory of 624	1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 1064 wrote to memory of 624	1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 1064 wrote to memory of 624	1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 1064 wrote to memory of 624	1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 1064 wrote to memory of 624	1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 1064 wrote to memory of 624	1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 1064 wrote to memory of 624	1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 1064 wrote to memory of 624	1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 1064 wrote to memory of 624	1064	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 624 wrote to memory of 1100	624	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	explorer.exe
PID 624 wrote to memory of 1100	624	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	explorer.exe
PID 624 wrote to memory of 1100	624	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	explorer.exe
PID 624 wrote to memory of 1100	624	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	explorer.exe
PID 624 wrote to memory of 996	624	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	iexplore.exe
PID 624 wrote to memory of 996	624	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	iexplore.exe
PID 624 wrote to memory of 996	624	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	iexplore.exe
PID 624 wrote to memory of 996	624	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	iexplore.exe
PID 1100 wrote to memory of 328	1100	explorer.exe	explorer.exe
PID 1100 wrote to memory of 328	1100	explorer.exe	explorer.exe
PID 1100 wrote to memory of 328	1100	explorer.exe	explorer.exe
PID 1100 wrote to memory of 328	1100	explorer.exe	explorer.exe
PID 1100 wrote to memory of 328	1100	explorer.exe	explorer.exe
PID 1100 wrote to memory of 328	1100	explorer.exe	explorer.exe
PID 1100 wrote to memory of 328	1100	explorer.exe	explorer.exe
PID 1100 wrote to memory of 328	1100	explorer.exe	explorer.exe
PID 1100 wrote to memory of 328	1100	explorer.exe	explorer.exe
PID 1100 wrote to memory of 328	1100	explorer.exe	explorer.exe
PID 1100 wrote to memory of 328	1100	explorer.exe	explorer.exe
PID 996 wrote to memory of 1048	996	iexplore.exe	iexplore.exe
PID 996 wrote to memory of 1048	996	iexplore.exe	iexplore.exe
PID 996 wrote to memory of 1048	996	iexplore.exe	iexplore.exe
PID 996 wrote to memory of 1048	996	iexplore.exe	iexplore.exe
PID 996 wrote to memory of 1048	996	iexplore.exe	iexplore.exe
PID 996 wrote to memory of 1048	996	iexplore.exe	iexplore.exe
PID 996 wrote to memory of 1048	996	iexplore.exe	iexplore.exe
PID 996 wrote to memory of 1048	996	iexplore.exe	iexplore.exe
PID 996 wrote to memory of 1048	996	iexplore.exe	iexplore.exe
PID 996 wrote to memory of 1048	996	iexplore.exe	iexplore.exe
PID 996 wrote to memory of 1048	996	iexplore.exe	iexplore.exe
PID 328 wrote to memory of 1304	328	explorer.exe	cmd.exe
PID 328 wrote to memory of 1304	328	explorer.exe	cmd.exe
PID 328 wrote to memory of 1304	328	explorer.exe	cmd.exe
PID 328 wrote to memory of 1304	328	explorer.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
"C:\Users\Admin\AppData\Local\Temp\dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
"C:\Users\Admin\AppData\Local\Temp\dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe" --mn=0
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe" --mn=0
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3206.bat"
5⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\iexplore.exe
"C:\Users\Admin\AppData\Local\Temp\iexplore.exe" --mn=0 --ch=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Local\Temp\iexplore.exe
"C:\Users\Admin\AppData\Local\Temp\iexplore.exe" --mn=0 --ch=1
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3206.bat

Filesize
182B

MD5
c2f856102252c1e1ea996a9b0897f258

SHA1
f47019e219f14d17c9b754360478880836cf2198

SHA256
73023cfa2e3769be5b50b5537905dd0a4e5391c3c71feedf2d58686a0b316ef1

SHA512
fb4af50c29f2da4960cde88a66613cabd3f6a6b00cad2e78a0e49d27b7ab6508a55f1889808efa5e81539bb90d401c9e7b34cbecf5fde518bd7b58a11a8d9701

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplore.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplore.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplore.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
\Users\Admin\AppData\Local\Temp\iexplore.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
\Users\Admin\AppData\Local\Temp\iexplore.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
memory/328-93-0x000000000046D7C4-mapping.dmp

Download
memory/328-103-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/328-122-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/624-67-0x000000000046D7C4-mapping.dmp

Download
memory/624-62-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/624-55-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/624-57-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/624-70-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/624-69-0x0000000076161000-0x0000000076163000-memory.dmp

Filesize
8KB

Download
memory/624-54-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/624-66-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/624-64-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/624-74-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/624-61-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/624-59-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/624-117-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/996-76-0x0000000000000000-mapping.dmp

Download
memory/1048-114-0x000000000046D7C4-mapping.dmp

Download
memory/1048-120-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1100-72-0x0000000000000000-mapping.dmp

Download
memory/1304-121-0x0000000000000000-mapping.dmp

Download