9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75

General

Target

9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
Size

300KB
MD5

28654dae9f561d825d2c74d8a7af4614
SHA1

168a3b4d725a963ebe6147abfd37fbe9857f0847
SHA256

9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75
SHA512

16ad3d96af5c89bde4d8d9103334f8bd7ebd3b6b1f571090be42548b989f91d0f51411078193d690abbd68de57d1f3706c30c095d5c8898706fd6ceb6d054728
SSDEEP

6144:/xuq3rsRMNU10sfsaM7+j5kxZKoKlfO2vr:f8snLxZ7Ef

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

niriyr.exeniriyr.exe

pid process

4516 niriyr.exe
3448 niriyr.exe

pid	process
4516	niriyr.exe
3448	niriyr.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exeniriyr.exe

description	pid	process	target process
PID 2692 set thread context of 2100	2692	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 4516 set thread context of 3448	4516	niriyr.exe	niriyr.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3496 3448 WerFault.exe niriyr.exe

pid	pid_target	process	target process
3496	3448	WerFault.exe	niriyr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe

pid	process
2100	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
2100	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exeniriyr.exe

description	pid	process	target process
PID 2692 wrote to memory of 2100	2692	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 2692 wrote to memory of 2100	2692	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 2692 wrote to memory of 2100	2692	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 2692 wrote to memory of 2100	2692	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 2692 wrote to memory of 2100	2692	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 2692 wrote to memory of 2100	2692	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 2692 wrote to memory of 2100	2692	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 2692 wrote to memory of 2100	2692	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 2692 wrote to memory of 2100	2692	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 2100 wrote to memory of 4516	2100	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	niriyr.exe
PID 2100 wrote to memory of 4516	2100	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	niriyr.exe
PID 2100 wrote to memory of 4516	2100	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	niriyr.exe
PID 4516 wrote to memory of 3448	4516	niriyr.exe	niriyr.exe
PID 4516 wrote to memory of 3448	4516	niriyr.exe	niriyr.exe
PID 4516 wrote to memory of 3448	4516	niriyr.exe	niriyr.exe
PID 4516 wrote to memory of 3448	4516	niriyr.exe	niriyr.exe
PID 4516 wrote to memory of 3448	4516	niriyr.exe	niriyr.exe
PID 4516 wrote to memory of 3448	4516	niriyr.exe	niriyr.exe
PID 2100 wrote to memory of 5092	2100	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	cmd.exe
PID 2100 wrote to memory of 5092	2100	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	cmd.exe
PID 2100 wrote to memory of 5092	2100	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
"C:\Users\Admin\AppData\Local\Temp\9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
"C:\Users\Admin\AppData\Local\Temp\9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\Omes\niriyr.exe
"C:\Users\Admin\AppData\Local\Temp\Omes\niriyr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4516

C:\Users\Admin\AppData\Local\Temp\Omes\niriyr.exe
"C:\Users\Admin\AppData\Local\Temp\Omes\niriyr.exe"
4⤵
- Executes dropped EXE
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 80
5⤵
- Program crash
PID:3496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USB5F21.bat"
3⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3448 -ip 3448
1⤵
PID:5068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Omes\niriyr.exe
Filesize
300KB

MD5
bbd3665648ad6380920fe74bd553a932

SHA1
a587aa162519a15f47cda2b31359168db3a9486b

SHA256
0a84b116ede8c1a518ae8eb833ac6a1d5d82c6c64d39cd9aeab086752095acb1

SHA512
ad8df6a9cc4ead928a9e63515bd70cc6e1dc253513d0a703fc2c4a974720e6c6691211d0f0cfab447c4accd9848407b803a56b8bb7ed3b670ea423a034fae4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Omes\niriyr.exe
Filesize
300KB

MD5
bbd3665648ad6380920fe74bd553a932

SHA1
a587aa162519a15f47cda2b31359168db3a9486b

SHA256
0a84b116ede8c1a518ae8eb833ac6a1d5d82c6c64d39cd9aeab086752095acb1

SHA512
ad8df6a9cc4ead928a9e63515bd70cc6e1dc253513d0a703fc2c4a974720e6c6691211d0f0cfab447c4accd9848407b803a56b8bb7ed3b670ea423a034fae4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Omes\niriyr.exe
Filesize
300KB

MD5
bbd3665648ad6380920fe74bd553a932

SHA1
a587aa162519a15f47cda2b31359168db3a9486b

SHA256
0a84b116ede8c1a518ae8eb833ac6a1d5d82c6c64d39cd9aeab086752095acb1

SHA512
ad8df6a9cc4ead928a9e63515bd70cc6e1dc253513d0a703fc2c4a974720e6c6691211d0f0cfab447c4accd9848407b803a56b8bb7ed3b670ea423a034fae4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\USB5F21.bat
Filesize
276B

MD5
b8fc8b192144537ed74496c0b647313f

SHA1
e29321b4766c9220be9a338c68e81d452f49abe4

SHA256
72282a5cd5a8f797ff13a5cab8da4547c1193016a1d53c75de90a331f65b4818

SHA512
f7c68ff0d23f6b18bfbfcbc43e9a8cbc2050797ab6581ccfcc822dc652c68436538ebf65536ba188932512f2a207ea8c4cc5983882aed719db9887f5ad38ba88

Download Submit
memory/2100-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-132-0x0000000000000000-mapping.dmp

Download
memory/2100-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-135-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/2692-147-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3448-141-0x0000000000000000-mapping.dmp

Download
memory/4516-138-0x0000000000000000-mapping.dmp

Download
memory/4516-143-0x0000000074CB0000-0x0000000075261000-memory.dmp

Filesize
5.7MB

Download
memory/5092-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads