c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a

Analysis

max time kernel
149s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.exe
Size

672KB
MD5

f8004edd28b8cdea5ab3385942348eb3
SHA1

1f577106b9b7867f11456052176ff674e7c5d023
SHA256

c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a
SHA512

c036f7b8ba7334a38648621f55049bd62a9d4bbce19871586126b735e834ef19baec9458a8b19414a41ae86d568100f2ad60870395132977c991ceec9f08c34a
SSDEEP

12288:5na9ux8YJ5cLPF/dQ0t7dyxnHTk6JgIUwhs/+XioJsgPet7:5naExT5cL9/d1t7KQ6mwhsCtel

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmpdotnetchk.exe

pid process

380 c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp
4448 dotnetchk.exe
Loads dropped DLL 1 IoCs

Processes:

c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp

pid process

380 c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp

pid	process
380	c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp
4448	dotnetchk.exe

pid	process
380	c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.exec9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp

description	pid	process	target process
PID 1628 wrote to memory of 380	1628	c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.exe	c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp
PID 1628 wrote to memory of 380	1628	c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.exe	c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp
PID 1628 wrote to memory of 380	1628	c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.exe	c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp
PID 380 wrote to memory of 4448	380	c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp	dotnetchk.exe
PID 380 wrote to memory of 4448	380	c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp	dotnetchk.exe
PID 380 wrote to memory of 4448	380	c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp	dotnetchk.exe

C:\Users\Admin\AppData\Local\Temp\c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.exe
"C:\Users\Admin\AppData\Local\Temp\c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\is-0ULV0.tmp\c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0ULV0.tmp\c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp" /SL5="$90064,409146,54272,C:\Users\Admin\AppData\Local\Temp\c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Local\Temp\is-424O1.tmp\dotnetchk.exe
"C:\Users\Admin\AppData\Local\Temp\is-424O1.tmp\dotnetchk.exe"
3⤵
- Executes dropped EXE
PID:4448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0ULV0.tmp\c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp

Filesize
688KB

MD5
cf129065dfbfbb12e3f867192805df43

SHA1
0d3162dddce3b3fe1dbd3d7243478680b33725c3

SHA256
9137901c0071f4d03fad59b655398dbf803c996db11b990c532ac55a27e28526

SHA512
db97e6a54277c82f12205ccc0923284785d2d4d8a83d7733ad4bcdefd1ac77c2544dc467da5ac7b41a984ce512da154368f4badd0d05724e9e82805015d776e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0ULV0.tmp\c9558ebe6a65b931dca640d9462382be317c21548b855f6433bfa83d080de86a.tmp

Filesize
688KB

MD5
cf129065dfbfbb12e3f867192805df43

SHA1
0d3162dddce3b3fe1dbd3d7243478680b33725c3

SHA256
9137901c0071f4d03fad59b655398dbf803c996db11b990c532ac55a27e28526

SHA512
db97e6a54277c82f12205ccc0923284785d2d4d8a83d7733ad4bcdefd1ac77c2544dc467da5ac7b41a984ce512da154368f4badd0d05724e9e82805015d776e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-424O1.tmp\dotnetchk.exe

Filesize
60KB

MD5
26c5023438740dd0d532f33d6407919c

SHA1
2b38c639efa93eeb67fc47826c2be8ed8cef5cbb

SHA256
e6ce9a0143c4c5aff4fab8199471230266b4b6774af2b6634aa511b077c9fcae

SHA512
628f1b5ec369d842684ceab038ffabda33a1a2a457c742dae10e059ef1c74ed3534aa2f4c2ab738a87f337811300b0c9342cc38462c9b9a616e4f07bb2446550

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-424O1.tmp\dotnetchk.exe

Filesize
60KB

MD5
26c5023438740dd0d532f33d6407919c

SHA1
2b38c639efa93eeb67fc47826c2be8ed8cef5cbb

SHA256
e6ce9a0143c4c5aff4fab8199471230266b4b6774af2b6634aa511b077c9fcae

SHA512
628f1b5ec369d842684ceab038ffabda33a1a2a457c742dae10e059ef1c74ed3534aa2f4c2ab738a87f337811300b0c9342cc38462c9b9a616e4f07bb2446550

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-424O1.tmp\isxdl.dll

Filesize
58KB

MD5
792620390aae5305220283f2ce33ca68

SHA1
d9fee4cb3e2fa5e7d88b45662fd58b30aa9979f0

SHA256
21bc620515ebbdeb125d273c2d8db45577d05408ef624464af26afcfecfd201a

SHA512
470914116f40e4f7216c840ccbc706eb7953c10e62195c9b4d15e73f422625096df6c68edb33c25e2eec3305b4a1b159054f812c4a2307aeb3e49d35ae5f575c

Download Submit
memory/380-135-0x0000000000000000-mapping.dmp

Download
memory/1628-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1628-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1628-142-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4448-139-0x0000000000000000-mapping.dmp

Download