5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d

General

Target

5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe
Size

135KB
MD5

44cbc1ed36cb339c49d4131375e74060
SHA1

995760e4b37878dbe496219a48b1f1e073468159
SHA256

5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d
SHA512

a8d82c8abfec9cc5a19196f0af1da94e6399d3e53882ef1f8b6ca0d9e9af721e4f32da99b9b335073088423d2f06f3dffc628dc9c5ca7b88c53d6709ae999b33
SSDEEP

3072:XY8VKtX8vUYyKGpPLi66H50nmNJQIaK8juK2cma/rM1aout:XhSyxuzi66HOeJZatjuZcmapoS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

msprxysvc32.exe

pid process

1992 msprxysvc32.exe
Deletes itself 1 IoCs

Processes:

msprxysvc32.exe

pid process

1992 msprxysvc32.exe

pid	process
1992	msprxysvc32.exe

pid	process
1992	msprxysvc32.exe

Loads dropped DLL 2 IoCs

Processes:

5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe

pid	process
2004	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe
2004	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe

Drops file in System32 directory 4 IoCs

Processes:

msprxysvc32.exe5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msprxysvc32.exe	msprxysvc32.exe
File created	C:\Windows\SysWOW64\msprxysvc32.exe	msprxysvc32.exe
File created	C:\Windows\SysWOW64\msprxysvc32.exe	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe
File opened for modification	C:\Windows\SysWOW64\msprxysvc32.exe	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exemsprxysvc32.exe

description	pid	process	target process
PID 2004 wrote to memory of 1992	2004	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe	msprxysvc32.exe
PID 2004 wrote to memory of 1992	2004	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe	msprxysvc32.exe
PID 2004 wrote to memory of 1992	2004	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe	msprxysvc32.exe
PID 2004 wrote to memory of 1992	2004	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe	msprxysvc32.exe
PID 1992 wrote to memory of 1492	1992	msprxysvc32.exe	cmd.exe
PID 1992 wrote to memory of 1492	1992	msprxysvc32.exe	cmd.exe
PID 1992 wrote to memory of 1492	1992	msprxysvc32.exe	cmd.exe
PID 1992 wrote to memory of 1492	1992	msprxysvc32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe
"C:\Users\Admin\AppData\Local\Temp\5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\msprxysvc32.exe
C:\Windows\system32\msprxysvc32.exe 468 "C:\Users\Admin\AppData\Local\Temp\5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat C:\Windows\SysWOW64\msprxysvc32.exe
3⤵
PID:1492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
136B

MD5
bfcf9cc6d1c37953dfa43312e2c36140

SHA1
07a4c0f29b282c34be24c312c4b920e479f4cee0

SHA256
bac7cce52aeba3a2e2ce2bb6aebf50ffa65530d0d51ca49a2abc7f4e43ce3ce5

SHA512
fb661474557e7168d4050607863b57649fa12a26ab9bd06078ae3254d003d76cfed4eac3d0a78a56eaf0ecc5b231d52788b6c8688cb14b0c86a37efe90f5f53a

Download Submit
C:\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
44cbc1ed36cb339c49d4131375e74060

SHA1
995760e4b37878dbe496219a48b1f1e073468159

SHA256
5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d

SHA512
a8d82c8abfec9cc5a19196f0af1da94e6399d3e53882ef1f8b6ca0d9e9af721e4f32da99b9b335073088423d2f06f3dffc628dc9c5ca7b88c53d6709ae999b33

Download Submit
C:\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
44cbc1ed36cb339c49d4131375e74060

SHA1
995760e4b37878dbe496219a48b1f1e073468159

SHA256
5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d

SHA512
a8d82c8abfec9cc5a19196f0af1da94e6399d3e53882ef1f8b6ca0d9e9af721e4f32da99b9b335073088423d2f06f3dffc628dc9c5ca7b88c53d6709ae999b33

Download Submit
\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
44cbc1ed36cb339c49d4131375e74060

SHA1
995760e4b37878dbe496219a48b1f1e073468159

SHA256
5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d

SHA512
a8d82c8abfec9cc5a19196f0af1da94e6399d3e53882ef1f8b6ca0d9e9af721e4f32da99b9b335073088423d2f06f3dffc628dc9c5ca7b88c53d6709ae999b33

Download Submit
\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
44cbc1ed36cb339c49d4131375e74060

SHA1
995760e4b37878dbe496219a48b1f1e073468159

SHA256
5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d

SHA512
a8d82c8abfec9cc5a19196f0af1da94e6399d3e53882ef1f8b6ca0d9e9af721e4f32da99b9b335073088423d2f06f3dffc628dc9c5ca7b88c53d6709ae999b33

Download Submit
memory/1492-65-0x0000000000000000-mapping.dmp

Download
memory/1992-57-0x0000000000000000-mapping.dmp

Download
memory/1992-62-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1992-66-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2004-63-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2004-61-0x0000000002470000-0x000000000250F000-memory.dmp

Filesize
636KB

Download
memory/2004-60-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2004-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads