dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

General

Target

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
Size

5.8MB
MD5

35ea7f963c3636976c14076c1456f788
SHA1

8ba14d9b6c4913ce5186bdd846845b6e195f4d38
SHA256

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141
SHA512

59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346
SSDEEP

98304:yrzp+tXXmA3sau3zzATVA4DNXINjAK3pSk5HifpZGakD5wpGbY+1Xyxq:wp+tXXBsau3sbNXINJ34k5YZGab+gq

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

explorer.exeiexplore.exeiexplore.exeexplorer.exe

pid process

4388 explorer.exe
4988 iexplore.exe
4856 iexplore.exe
4932 explorer.exe

pid	process
4388	explorer.exe
4988	iexplore.exe
4856	iexplore.exe
4932	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exeiexplore.exeexplorer.exe

description	pid	process	target process
PID 4512 set thread context of 2148	4512	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 4988 set thread context of 4856	4988	iexplore.exe	iexplore.exe
PID 4388 set thread context of 4932	4388	explorer.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exeiexplore.exeexplorer.exe

pid	process
2148	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
2148	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
2148	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
2148	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
4856	iexplore.exe
4856	iexplore.exe
4856	iexplore.exe
4856	iexplore.exe
4856	iexplore.exe
4856	iexplore.exe
4856	iexplore.exe
4856	iexplore.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exeexplorer.exeiexplore.exe

pid process

4512 dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
4388 explorer.exe
4988 iexplore.exe

pid	process
4512	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
4388	explorer.exe
4988	iexplore.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exedc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exeiexplore.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 4512 wrote to memory of 2148	4512	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 4512 wrote to memory of 2148	4512	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 4512 wrote to memory of 2148	4512	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 4512 wrote to memory of 2148	4512	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 4512 wrote to memory of 2148	4512	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 4512 wrote to memory of 2148	4512	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 4512 wrote to memory of 2148	4512	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 4512 wrote to memory of 2148	4512	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 4512 wrote to memory of 2148	4512	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 4512 wrote to memory of 2148	4512	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
PID 2148 wrote to memory of 4388	2148	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	explorer.exe
PID 2148 wrote to memory of 4388	2148	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	explorer.exe
PID 2148 wrote to memory of 4388	2148	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	explorer.exe
PID 2148 wrote to memory of 4988	2148	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	iexplore.exe
PID 2148 wrote to memory of 4988	2148	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	iexplore.exe
PID 2148 wrote to memory of 4988	2148	dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe	iexplore.exe
PID 4988 wrote to memory of 4856	4988	iexplore.exe	iexplore.exe
PID 4988 wrote to memory of 4856	4988	iexplore.exe	iexplore.exe
PID 4988 wrote to memory of 4856	4988	iexplore.exe	iexplore.exe
PID 4988 wrote to memory of 4856	4988	iexplore.exe	iexplore.exe
PID 4988 wrote to memory of 4856	4988	iexplore.exe	iexplore.exe
PID 4988 wrote to memory of 4856	4988	iexplore.exe	iexplore.exe
PID 4988 wrote to memory of 4856	4988	iexplore.exe	iexplore.exe
PID 4988 wrote to memory of 4856	4988	iexplore.exe	iexplore.exe
PID 4988 wrote to memory of 4856	4988	iexplore.exe	iexplore.exe
PID 4988 wrote to memory of 4856	4988	iexplore.exe	iexplore.exe
PID 4388 wrote to memory of 4932	4388	explorer.exe	explorer.exe
PID 4388 wrote to memory of 4932	4388	explorer.exe	explorer.exe
PID 4388 wrote to memory of 4932	4388	explorer.exe	explorer.exe
PID 4388 wrote to memory of 4932	4388	explorer.exe	explorer.exe
PID 4388 wrote to memory of 4932	4388	explorer.exe	explorer.exe
PID 4388 wrote to memory of 4932	4388	explorer.exe	explorer.exe
PID 4388 wrote to memory of 4932	4388	explorer.exe	explorer.exe
PID 4388 wrote to memory of 4932	4388	explorer.exe	explorer.exe
PID 4388 wrote to memory of 4932	4388	explorer.exe	explorer.exe
PID 4388 wrote to memory of 4932	4388	explorer.exe	explorer.exe
PID 4932 wrote to memory of 3436	4932	explorer.exe	cmd.exe
PID 4932 wrote to memory of 3436	4932	explorer.exe	cmd.exe
PID 4932 wrote to memory of 3436	4932	explorer.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
"C:\Users\Admin\AppData\Local\Temp\dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe
"C:\Users\Admin\AppData\Local\Temp\dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe" --mn=0
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe" --mn=0
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3153.bat"
5⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\iexplore.exe
"C:\Users\Admin\AppData\Local\Temp\iexplore.exe" --mn=0 --ch=1
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\iexplore.exe
"C:\Users\Admin\AppData\Local\Temp\iexplore.exe" --mn=0 --ch=1
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3153.bat

Filesize
182B

MD5
1b978243a71ac7a0c9eb6077ce5b2079

SHA1
1420e4594ceb3b0d618dc2f77d99387779dcad37

SHA256
7bc26beb70d319d45a63d6d02908a3764517df03835b95d868be3996a872dae0

SHA512
758fe63bcafdd097ba07c3c5d747a6f0113860f4c72bbd760d2c1c4de43b772e835020df54539805739bd6f784c5bb10b32eb74dd958f481518856a12ca98337

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplore.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplore.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplore.exe

Filesize
5.8MB

MD5
35ea7f963c3636976c14076c1456f788

SHA1
8ba14d9b6c4913ce5186bdd846845b6e195f4d38

SHA256
dc8ac8bcee6a9343ac7a93fce5ce47ef2252d8b50acbb0bdadfee90483c93141

SHA512
59d1e2021a7610796b544641b7e53dcb801c51cb94c5003009f56782771787f1665486fd64f59cb1e84e3442e09ff61641eab19e990774c42d59ab054502a346

Download Submit
memory/2148-153-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2148-142-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2148-133-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2148-135-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2148-134-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2148-132-0x0000000000000000-mapping.dmp

Download
memory/3436-156-0x0000000000000000-mapping.dmp

Download
memory/4388-136-0x0000000000000000-mapping.dmp

Download
memory/4856-143-0x0000000000000000-mapping.dmp

Download
memory/4856-146-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4856-154-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4856-151-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4932-147-0x0000000000000000-mapping.dmp

Download
memory/4932-155-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4932-152-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4932-157-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4932-150-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4988-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads