9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7

General

Target

9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe
Size

782KB
MD5

36cf629e0871a39c86e627ccf39f49a2
SHA1

53c1ba8389358f5dd9da150fd2e7837bfe25a785
SHA256

9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7
SHA512

a2bc48ea2288d1558b55ce3725abdea779db20195e6df97b0a2aa90e1c8d912e74f95f15ef901162ee56d1a46da0abde06c52c7fbca87d6006533a0839383261
SSDEEP

12288:LabQa2gt5k6JGcD1rhB411IteuU7qeKF6YUjAfLWgDVTiTP:Lab3rJGcD1rb41aIqrF6YU6LWgDVTiTP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

svchost.exe9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exesvchost.exe

pid process

1792 svchost.exe
1700 9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe
1180 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

1792 svchost.exe
Drops file in Windows directory 1 IoCs

Processes:

9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe

description ioc process

File created C:\Windows\svchost.exe 9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe

pid	process
1792	svchost.exe
1700	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe
1180	svchost.exe

pid	process
1792	svchost.exe

description	ioc	process
File created	C:\Windows\svchost.exe	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe

pid	process
1700	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe
1700	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe
1700	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exesvchost.exe

description	pid	process	target process
PID 1868 wrote to memory of 1792	1868	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe	svchost.exe
PID 1868 wrote to memory of 1792	1868	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe	svchost.exe
PID 1868 wrote to memory of 1792	1868	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe	svchost.exe
PID 1868 wrote to memory of 1792	1868	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe	svchost.exe
PID 1792 wrote to memory of 1700	1792	svchost.exe	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe
PID 1792 wrote to memory of 1700	1792	svchost.exe	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe
PID 1792 wrote to memory of 1700	1792	svchost.exe	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe
PID 1792 wrote to memory of 1700	1792	svchost.exe	9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe

C:\Users\Admin\AppData\Local\Temp\9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe
"C:\Users\Admin\AppData\Local\Temp\9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe
    "C:\Users\Admin\AppData\Local\Temp\9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1700

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:1180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe

Filesize
746KB

MD5
17186248c75e9a8227750726e1dff4fd

SHA1
6f38736094875854bca9e8f44bb4a20152dc5ea4

SHA256
5ba59c80f55b40c7a50a7e09c1001c4bedde4a72800bbab0ab3f4f525c3f0456

SHA512
2d71da7f0612310323ddc5ebf34c87c42ddacdec374b9ba924ab0a630bb50541461fa3f3e94e1f7f596a41b257ad8dcfbae69425bd51152c2cef8c403b8feb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe

Filesize
746KB

MD5
17186248c75e9a8227750726e1dff4fd

SHA1
6f38736094875854bca9e8f44bb4a20152dc5ea4

SHA256
5ba59c80f55b40c7a50a7e09c1001c4bedde4a72800bbab0ab3f4f525c3f0456

SHA512
2d71da7f0612310323ddc5ebf34c87c42ddacdec374b9ba924ab0a630bb50541461fa3f3e94e1f7f596a41b257ad8dcfbae69425bd51152c2cef8c403b8feb07

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\9bb208992220333abbc1c4e4b9179acbcc6818d7bd07d4852f7e4ead2c0f44f7.exe

Filesize
746KB

MD5
17186248c75e9a8227750726e1dff4fd

SHA1
6f38736094875854bca9e8f44bb4a20152dc5ea4

SHA256
5ba59c80f55b40c7a50a7e09c1001c4bedde4a72800bbab0ab3f4f525c3f0456

SHA512
2d71da7f0612310323ddc5ebf34c87c42ddacdec374b9ba924ab0a630bb50541461fa3f3e94e1f7f596a41b257ad8dcfbae69425bd51152c2cef8c403b8feb07

Download Submit
memory/1700-58-0x0000000000000000-mapping.dmp

Download
memory/1700-60-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1792-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing