d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d

General

Target

d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d.exe
Size

232KB
MD5

b299427e070244f5b942c77864787874
SHA1

501736c765ab24ccde5e09d3b49af7f06d42690d
SHA256

d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d
SHA512

d5b871757f53b8257f83f3ee653f4512569ac89d95b7a28dcccdb1f1bd1fdf940d9b59ef6870fc0676649b9504d9fbccf1e6e9073d281b980e4148a75c94ff50
SSDEEP

6144:8X5UGgQDJhKx0umIb+KZG5C5breXGTYSufA09GSGhh3pe3oZ:8CGyxnmIb+POWVo08N5e3o

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
772	tasklist32.exe
1176	tasklist32.exe

Loads dropped DLL 4 IoCs

pid	Process
1576	d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d.exe
1576	d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d.exe
772	tasklist32.exe
772	tasklist32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\tasklist32.exe	d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d.exe
File opened for modification	\??\c:\windows\SysWOW64\tasklist32.exe	d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1576	d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d.exe
772	tasklist32.exe
1176	tasklist32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 772	1576	d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d.exe	28
PID 1576 wrote to memory of 772	1576	d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d.exe	28
PID 1576 wrote to memory of 772	1576	d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d.exe	28
PID 1576 wrote to memory of 772	1576	d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d.exe	28
PID 772 wrote to memory of 1176	772	tasklist32.exe	29
PID 772 wrote to memory of 1176	772	tasklist32.exe	29
PID 772 wrote to memory of 1176	772	tasklist32.exe	29
PID 772 wrote to memory of 1176	772	tasklist32.exe	29

C:\Users\Admin\AppData\Local\Temp\d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d.exe
"C:\Users\Admin\AppData\Local\Temp\d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576
- \??\c:\windows\SysWOW64\tasklist32.exe
  c:\windows\system32\tasklist32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:772
- - \??\c:\windows\SysWOW64\tasklist32.exe
    c:\windows\system32\tasklist32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tasklist32.exe

Filesize
232KB

MD5
b299427e070244f5b942c77864787874

SHA1
501736c765ab24ccde5e09d3b49af7f06d42690d

SHA256
d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d

SHA512
d5b871757f53b8257f83f3ee653f4512569ac89d95b7a28dcccdb1f1bd1fdf940d9b59ef6870fc0676649b9504d9fbccf1e6e9073d281b980e4148a75c94ff50

Download Submit
C:\Windows\SysWOW64\tasklist32.exe

Filesize
232KB

MD5
b299427e070244f5b942c77864787874

SHA1
501736c765ab24ccde5e09d3b49af7f06d42690d

SHA256
d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d

SHA512
d5b871757f53b8257f83f3ee653f4512569ac89d95b7a28dcccdb1f1bd1fdf940d9b59ef6870fc0676649b9504d9fbccf1e6e9073d281b980e4148a75c94ff50

Download Submit
\??\c:\windows\SysWOW64\tasklist32.exe

Filesize
232KB

MD5
b299427e070244f5b942c77864787874

SHA1
501736c765ab24ccde5e09d3b49af7f06d42690d

SHA256
d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d

SHA512
d5b871757f53b8257f83f3ee653f4512569ac89d95b7a28dcccdb1f1bd1fdf940d9b59ef6870fc0676649b9504d9fbccf1e6e9073d281b980e4148a75c94ff50

Download Submit
\Windows\SysWOW64\tasklist32.exe

Filesize
232KB

MD5
b299427e070244f5b942c77864787874

SHA1
501736c765ab24ccde5e09d3b49af7f06d42690d

SHA256
d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d

SHA512
d5b871757f53b8257f83f3ee653f4512569ac89d95b7a28dcccdb1f1bd1fdf940d9b59ef6870fc0676649b9504d9fbccf1e6e9073d281b980e4148a75c94ff50

Download Submit
\Windows\SysWOW64\tasklist32.exe

Filesize
232KB

MD5
b299427e070244f5b942c77864787874

SHA1
501736c765ab24ccde5e09d3b49af7f06d42690d

SHA256
d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d

SHA512
d5b871757f53b8257f83f3ee653f4512569ac89d95b7a28dcccdb1f1bd1fdf940d9b59ef6870fc0676649b9504d9fbccf1e6e9073d281b980e4148a75c94ff50

Download Submit
\Windows\SysWOW64\tasklist32.exe

Filesize
232KB

MD5
b299427e070244f5b942c77864787874

SHA1
501736c765ab24ccde5e09d3b49af7f06d42690d

SHA256
d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d

SHA512
d5b871757f53b8257f83f3ee653f4512569ac89d95b7a28dcccdb1f1bd1fdf940d9b59ef6870fc0676649b9504d9fbccf1e6e9073d281b980e4148a75c94ff50

Download Submit
\Windows\SysWOW64\tasklist32.exe

Filesize
232KB

MD5
b299427e070244f5b942c77864787874

SHA1
501736c765ab24ccde5e09d3b49af7f06d42690d

SHA256
d3dd4c40090512b53e3437344e51e72ee6005dcd49421cc6b558ec0498fd506d

SHA512
d5b871757f53b8257f83f3ee653f4512569ac89d95b7a28dcccdb1f1bd1fdf940d9b59ef6870fc0676649b9504d9fbccf1e6e9073d281b980e4148a75c94ff50

Download Submit
memory/772-72-0x0000000002D30000-0x0000000003144000-memory.dmp

Filesize
4.1MB

Download
memory/772-71-0x0000000000400000-0x0000000000814000-memory.dmp

Filesize
4.1MB

Download
memory/772-73-0x0000000002D30000-0x0000000003144000-memory.dmp

Filesize
4.1MB

Download
memory/772-78-0x0000000000400000-0x0000000000814000-memory.dmp

Filesize
4.1MB

Download
memory/1176-74-0x0000000000400000-0x0000000000814000-memory.dmp

Filesize
4.1MB

Download
memory/1176-75-0x0000000000400000-0x0000000000814000-memory.dmp

Filesize
4.1MB

Download
memory/1576-70-0x0000000002D80000-0x0000000003194000-memory.dmp

Filesize
4.1MB

Download
memory/1576-56-0x0000000000400000-0x0000000000814000-memory.dmp

Filesize
4.1MB

Download
memory/1576-76-0x0000000000400000-0x0000000000814000-memory.dmp

Filesize
4.1MB

Download
memory/1576-77-0x0000000002D80000-0x0000000003194000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing