131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073

General

Target

131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe
Size

1019KB
MD5

fcceefd55441c1423777ccb57e95f734
SHA1

f4e93be6ed8995a5cbe3368d95c99acda9e7c74f
SHA256

131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073
SHA512

dff94d27504a172db6395b0e65544a8df273641e3eb6291363f6db4723ce46eb2adc8dd9622feaf676743b35901209724a5e778726f5691f053e97309fb58aa4
SSDEEP

24576:O/MEaKJzFfinTG/H04MkcMBFxKrmiLvxWo5q0a/nuKAX7lsAGtju:QMr2zogMkcHgofKAX7lsHtK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Sdmr.exeSdmr.exedmr.exe

pid process

3460 Sdmr.exe
3972 Sdmr.exe
4660 dmr.exe

pid	process
3460	Sdmr.exe
3972	Sdmr.exe
4660	dmr.exe

Drops file in System32 directory 8 IoCs

Processes:

dmr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\ESE\	dmr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\DU2BEY67	dmr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\DU2BEY67\403916660299418153[1].htm	dmr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\DU2BEY67\403916660299418153[1]	dmr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	dmr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	dmr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	dmr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	dmr.exe

Drops file in Windows directory 2 IoCs

Processes:

131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe

description	ioc	process
File created	C:\Windows\dmr.exe	131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe
File created	C:\Windows\Sdmr.exe	131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4908	3460	WerFault.exe	Sdmr.exe
4620	3972	WerFault.exe	Sdmr.exe
2132	3972	WerFault.exe	Sdmr.exe
2700	3972	WerFault.exe	Sdmr.exe
5084	3972	WerFault.exe	Sdmr.exe
3440	3460	WerFault.exe	Sdmr.exe
388	3460	WerFault.exe	Sdmr.exe
2208	3460	WerFault.exe	Sdmr.exe
2908	3972	WerFault.exe	Sdmr.exe
2804	3972	WerFault.exe	Sdmr.exe
1112	3972	WerFault.exe	Sdmr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Sdmr.exe

pid process

3972 Sdmr.exe
3972 Sdmr.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

dmr.exe

description pid process

Token: SeDebugPrivilege 4660 dmr.exe
Token: 33 4660 dmr.exe
Token: SeIncBasePriorityPrivilege 4660 dmr.exe

pid	process
3972	Sdmr.exe
3972	Sdmr.exe

description	pid	process
Token: SeDebugPrivilege	4660	dmr.exe
Token: 33	4660	dmr.exe
Token: SeIncBasePriorityPrivilege	4660	dmr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe

pid	process
3364	131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe
3364	131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exeSdmr.exe

description	pid	process	target process
PID 3364 wrote to memory of 3460	3364	131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe	Sdmr.exe
PID 3364 wrote to memory of 3460	3364	131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe	Sdmr.exe
PID 3364 wrote to memory of 3460	3364	131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe	Sdmr.exe
PID 3364 wrote to memory of 3444	3364	131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe	cmd.exe
PID 3364 wrote to memory of 3444	3364	131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe	cmd.exe
PID 3364 wrote to memory of 3444	3364	131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe	cmd.exe
PID 3972 wrote to memory of 4660	3972	Sdmr.exe	dmr.exe
PID 3972 wrote to memory of 4660	3972	Sdmr.exe	dmr.exe
PID 3972 wrote to memory of 4660	3972	Sdmr.exe	dmr.exe

C:\Users\Admin\AppData\Local\Temp\131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe
"C:\Users\Admin\AppData\Local\Temp\131ef19d24bcc12b9975653565ded54ab7b7afda91ef96c7f1fa9ed472da2073.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\Sdmr.exe
C:\Windows\Sdmr setup
2⤵
- Executes dropped EXE
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 384
3⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 500
3⤵
- Program crash
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 508
3⤵
- Program crash
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 140
3⤵
- Program crash
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\delus.bat
2⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3460 -ip 3460
1⤵
PID:4952

C:\Windows\Sdmr.exe
C:\Windows\Sdmr.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 352
2⤵
- Program crash
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 384
2⤵
- Program crash
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 456
2⤵
- Program crash
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 484
2⤵
- Program crash
PID:5084

C:\Windows\dmr.exe
C:\Windows\dmr.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 476
2⤵
- Program crash
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 460
2⤵
- Program crash
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 140
2⤵
- Program crash
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3972 -ip 3972
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3972 -ip 3972
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3972 -ip 3972
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3972 -ip 3972
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3460 -ip 3460
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3460 -ip 3460
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3460 -ip 3460
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3972 -ip 3972
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3972 -ip 3972
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3972 -ip 3972
1⤵
PID:3852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Sdmr.exe

Filesize
432KB

MD5
375d6cf5e98cffd102681b1004b56b22

SHA1
f68406dcac74f064f57131919b664c0795080ae6

SHA256
e3e61ac5ab511d8586b3cfd4c79e86d64ebc02cf93431157348c385ec2f70a32

SHA512
c7f560c7150cb7949be0e42bf89712ec66ef110100c1fd63b765c8476f294f2aa9ab09d898a12d199c6a80fb378092254fbc74fd3180630eaa549fe3e42647c1

Download Submit
C:\Windows\Sdmr.exe

Filesize
432KB

MD5
375d6cf5e98cffd102681b1004b56b22

SHA1
f68406dcac74f064f57131919b664c0795080ae6

SHA256
e3e61ac5ab511d8586b3cfd4c79e86d64ebc02cf93431157348c385ec2f70a32

SHA512
c7f560c7150cb7949be0e42bf89712ec66ef110100c1fd63b765c8476f294f2aa9ab09d898a12d199c6a80fb378092254fbc74fd3180630eaa549fe3e42647c1

Download Submit
C:\Windows\Sdmr.exe

Filesize
432KB

MD5
375d6cf5e98cffd102681b1004b56b22

SHA1
f68406dcac74f064f57131919b664c0795080ae6

SHA256
e3e61ac5ab511d8586b3cfd4c79e86d64ebc02cf93431157348c385ec2f70a32

SHA512
c7f560c7150cb7949be0e42bf89712ec66ef110100c1fd63b765c8476f294f2aa9ab09d898a12d199c6a80fb378092254fbc74fd3180630eaa549fe3e42647c1

Download Submit
C:\Windows\dmr.exe

Filesize
553KB

MD5
46c0f6e723f527c10112087e4d147c68

SHA1
4ea6f86de9e45fb9bc5e5e8f2714be9591eec36f

SHA256
9a122af7bf8b00d72a233ede9d13a22f940a7809bda443bd3ed208e4ff5afec6

SHA512
263255d3c092b3eb789f1a6985bfa4437d20582b4b3d509d1a490da072ce5f24566026b84097b1ba60833f5ae69d132ed3bd8097ca2704061275a883b440149b

Download Submit
C:\Windows\dmr.exe

Filesize
553KB

MD5
46c0f6e723f527c10112087e4d147c68

SHA1
4ea6f86de9e45fb9bc5e5e8f2714be9591eec36f

SHA256
9a122af7bf8b00d72a233ede9d13a22f940a7809bda443bd3ed208e4ff5afec6

SHA512
263255d3c092b3eb789f1a6985bfa4437d20582b4b3d509d1a490da072ce5f24566026b84097b1ba60833f5ae69d132ed3bd8097ca2704061275a883b440149b

Download Submit
C:\delus.bat

Filesize
266B

MD5
206a10214a284c83810938e831603d32

SHA1
85c519c10307f54ae5dd895ab22039668010607d

SHA256
7804a97f633bf2bfd7a7bbd96237edf04d63f89071f936cbe4c1e097a20565ee

SHA512
ca91f0548d2603f2db166efa8503434a3642c896b9b1e25667221392e8b68c69003e57048779fa1244683f7ced7727e5847d6e01d079218532e52d8c049fc4ef

Download Submit
memory/3364-135-0x0000000000400000-0x00000000005A1200-memory.dmp

Filesize
1.6MB

Download
memory/3364-138-0x0000000000400000-0x00000000005A1200-memory.dmp

Filesize
1.6MB

Download
memory/3444-137-0x0000000000000000-mapping.dmp

Download
memory/3460-136-0x0000000000400000-0x00000000004751FF-memory.dmp

Filesize
468KB

Download
memory/3460-142-0x0000000000400000-0x00000000004751FF-memory.dmp

Filesize
468KB

Download
memory/3460-132-0x0000000000000000-mapping.dmp

Download
memory/3972-143-0x0000000000400000-0x00000000004751FF-memory.dmp

Filesize
468KB

Download
memory/3972-141-0x0000000000400000-0x00000000004751FF-memory.dmp

Filesize
468KB

Download
memory/3972-148-0x0000000000400000-0x00000000004751FF-memory.dmp

Filesize
468KB

Download
memory/4660-144-0x0000000000000000-mapping.dmp

Download
memory/4660-147-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4660-149-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads