59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401

General

Target

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
Size

440KB
MD5

b974a3e84e7f1c206afe18433533e6b6
SHA1

a7195b3f724ad8d2fdc5e7eb2c55bed57c42b8b0
SHA256

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401
SHA512

11b9d491460120df77a512de85d5cb475ce307b48613ec30ee12133041b1a10a4be249a58428058f3f2f3bce39274270a5800503b4e242fff6ae5516162217d0
SSDEEP

6144:+876q/2f9h5R6kUf8UYDlEHph29O/uRINK2UckLjAV+5alk9v:+8r2HfUf81DmJYO/koMAYa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

fFgOsYRGoelkhKm.exe

pid process

3896 fFgOsYRGoelkhKm.exe

pid	process
3896	fFgOsYRGoelkhKm.exe

Drops file in System32 directory 2 IoCs

Processes:

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\2ete64.vas
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\2ete64.vas

Drops file in Windows directory 3 IoCs

Processes:

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exefFgOsYRGoelkhKm.exe

description	ioc	process
File opened for modification	C:\Windows\59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.INI	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
File created	C:\Windows\fFgOsYRGoelkhKm.exe	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
File opened for modification	C:\Windows\fFgOsYRGoelkhKm.INI	fFgOsYRGoelkhKm.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4276	2536	WerFault.exe	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
4628	3896	WerFault.exe	fFgOsYRGoelkhKm.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exefFgOsYRGoelkhKm.exe

pid	process
2536	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
2536	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
3896	fFgOsYRGoelkhKm.exe
3896	fFgOsYRGoelkhKm.exe
3896	fFgOsYRGoelkhKm.exe
3896	fFgOsYRGoelkhKm.exe
3896	fFgOsYRGoelkhKm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

fFgOsYRGoelkhKm.exe

pid process

3896 fFgOsYRGoelkhKm.exe

pid	process
3896	fFgOsYRGoelkhKm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exefFgOsYRGoelkhKm.exe

description	pid	process
Token: SeDebugPrivilege	2536	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
Token: SeDebugPrivilege	3896	fFgOsYRGoelkhKm.exe
Token: SeDebugPrivilege	776

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exefFgOsYRGoelkhKm.exe

pid	process
2536	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
2536	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
3896	fFgOsYRGoelkhKm.exe
3896	fFgOsYRGoelkhKm.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe

description	pid	process	target process
PID 2536 wrote to memory of 3896	2536	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe	fFgOsYRGoelkhKm.exe
PID 2536 wrote to memory of 3896	2536	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe	fFgOsYRGoelkhKm.exe
PID 2536 wrote to memory of 3896	2536	59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe	fFgOsYRGoelkhKm.exe
PID 776 wrote to memory of 448	776		wmiprvse.exe
PID 776 wrote to memory of 448	776		wmiprvse.exe

C:\Users\Admin\AppData\Local\Temp\59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
"C:\Users\Admin\AppData\Local\Temp\59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 584
2⤵
- Program crash
PID:4276

C:\Windows\fFgOsYRGoelkhKm.exe
C:\Users\Admin\AppData\Local\Temp\59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 584
3⤵
- Program crash
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2536 -ip 2536
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3896 -ip 3896
1⤵
PID:4324

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\fFgOsYRGoelkhKm.exe

Filesize
440KB

MD5
b974a3e84e7f1c206afe18433533e6b6

SHA1
a7195b3f724ad8d2fdc5e7eb2c55bed57c42b8b0

SHA256
59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401

SHA512
11b9d491460120df77a512de85d5cb475ce307b48613ec30ee12133041b1a10a4be249a58428058f3f2f3bce39274270a5800503b4e242fff6ae5516162217d0

Download Submit
C:\Windows\fFgOsYRGoelkhKm.exe

Filesize
440KB

MD5
b974a3e84e7f1c206afe18433533e6b6

SHA1
a7195b3f724ad8d2fdc5e7eb2c55bed57c42b8b0

SHA256
59bc3a189e0d6f90d2932ead11a57d8fde994df95c6d02d24b513295ce86f401

SHA512
11b9d491460120df77a512de85d5cb475ce307b48613ec30ee12133041b1a10a4be249a58428058f3f2f3bce39274270a5800503b4e242fff6ae5516162217d0

Download Submit
memory/448-147-0x0000000000000000-mapping.dmp

Download
memory/776-144-0x00000130435C0000-0x00000130435F6000-memory.dmp

Filesize
216KB

Download
memory/776-143-0x0000013043580000-0x00000130435B2000-memory.dmp

Filesize
200KB

Download
memory/2536-139-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2536-135-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2536-132-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2536-134-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3896-136-0x0000000000000000-mapping.dmp

Download
memory/3896-142-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3896-145-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3896-146-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads