ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e

Analysis

max time kernel
119s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.exe
Size

1.1MB
MD5

4a2d67b026ab9d116e067c107381fe76
SHA1

57848f53d4aaf6fd0beb7a16d07e819801d0ca17
SHA256

ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e
SHA512

740aed8cf7c9c9b0928d45cb903ee992e7607d4f60a4e5ac83c78c6012e1ca9313df74a3a99149ef313a959569288861eff276b0d8c3dfc1ffac59d2a49d7fe5
SSDEEP

24576:JxGIj5DtzSTPMDZOyu95K2taqpWfrNgPN4pyMSkmQ95cKtg+DWfrNJdNnpyvAf:CANtu1r55tof+jMSk/5PtKfHAvAf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp
1112	cui.exe
676	cui.tmp
1620	c11w.exe

Loads dropped DLL 8 IoCs

pid	Process
1692	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.exe
436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp
436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp
436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp
1112	cui.exe
676	cui.tmp
676	cui.tmp
436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 436	1692	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.exe	28
PID 1692 wrote to memory of 436	1692	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.exe	28
PID 1692 wrote to memory of 436	1692	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.exe	28
PID 1692 wrote to memory of 436	1692	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.exe	28
PID 1692 wrote to memory of 436	1692	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.exe	28
PID 1692 wrote to memory of 436	1692	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.exe	28
PID 1692 wrote to memory of 436	1692	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.exe	28
PID 436 wrote to memory of 1112	436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp	29
PID 436 wrote to memory of 1112	436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp	29
PID 436 wrote to memory of 1112	436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp	29
PID 436 wrote to memory of 1112	436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp	29
PID 436 wrote to memory of 1112	436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp	29
PID 436 wrote to memory of 1112	436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp	29
PID 436 wrote to memory of 1112	436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp	29
PID 1112 wrote to memory of 676	1112	cui.exe	30
PID 1112 wrote to memory of 676	1112	cui.exe	30
PID 1112 wrote to memory of 676	1112	cui.exe	30
PID 1112 wrote to memory of 676	1112	cui.exe	30
PID 1112 wrote to memory of 676	1112	cui.exe	30
PID 1112 wrote to memory of 676	1112	cui.exe	30
PID 1112 wrote to memory of 676	1112	cui.exe	30
PID 436 wrote to memory of 1620	436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp	32
PID 436 wrote to memory of 1620	436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp	32
PID 436 wrote to memory of 1620	436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp	32
PID 436 wrote to memory of 1620	436	ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp	32
PID 1620 wrote to memory of 524	1620	c11w.exe	34
PID 1620 wrote to memory of 524	1620	c11w.exe	34
PID 1620 wrote to memory of 524	1620	c11w.exe	34
PID 1620 wrote to memory of 524	1620	c11w.exe	34

C:\Users\Admin\AppData\Local\Temp\ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.exe
"C:\Users\Admin\AppData\Local\Temp\ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\is-0CAVR.tmp\ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0CAVR.tmp\ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp" /SL5="$D0122,776043,119296,C:\Users\Admin\AppData\Local\Temp\ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\is-OFGBO.tmp\cui.exe
    "C:\Users\Admin\AppData\Local\Temp\is-OFGBO.tmp\cui.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\is-A58HT.tmp\cui.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-A58HT.tmp\cui.tmp" /SL5="$1017C,352315,119296,C:\Users\Admin\AppData\Local\Temp\is-OFGBO.tmp\cui.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:676
- - C:\Users\Admin\AppData\Local\Temp\c11w.exe
    "C:\Users\Admin\AppData\Local\Temp\c11w.exe" -cid=CID -affid=AFFID -sid= -skipifinstalled=1 -delay=0 -ref= -merchantcid= -pubcid= -componentid=200081 -exename="compete.exe" -downloadurl="" -ui=0 -suppress= -ch=0 -enablelog=0 -single_version=100816062930
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\SysWOW64\CScript.exe
      C:\Windows\system32\CScript.exe C:\Users\Admin\AppData\Local\Temp\hi.vbs //e:vbscript //NOLOGO
      4⤵
      PID:524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c11w.exe

Filesize
635KB

MD5
b4863478291f9b4a0cdfcf105f5cf51e

SHA1
6c02820f7eb26e4d68bdfa9819650d8ed799962a

SHA256
130166f508e351212e6c5a2283da2a6c564fc273d5aebd30351d7018a3d571a4

SHA512
e51dd329ac28db348625fd4743fac11f4a30d143ed6025dbdf53ce7752b230fa84bca4962838934cea99672fe932da468a6a2403c25bda674e497fad700b39f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c11w.exe

Filesize
635KB

MD5
b4863478291f9b4a0cdfcf105f5cf51e

SHA1
6c02820f7eb26e4d68bdfa9819650d8ed799962a

SHA256
130166f508e351212e6c5a2283da2a6c564fc273d5aebd30351d7018a3d571a4

SHA512
e51dd329ac28db348625fd4743fac11f4a30d143ed6025dbdf53ce7752b230fa84bca4962838934cea99672fe932da468a6a2403c25bda674e497fad700b39f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hi.vbs

Filesize
582B

MD5
e1911b107027b28bcce4c94462521288

SHA1
eb47ef9472aaca5ff9772877211233aa2741412b

SHA256
cc3f956bab15193c3968dfeeee47a0c477156a311d01fbb04ed6f06602bc6c6d

SHA512
f7f5caa42877d73b8a8b49eb9c367c9aa993a0f4508f6ce715e1934b5eb4a616cc672a498ebcde2315c2eabce2952d764605c13c728238c1ae322eb1b51a04fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0CAVR.tmp\ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp

Filesize
1.1MB

MD5
129b8e200a6e90e813080c9ce0474063

SHA1
b5352cdae50e5ddf3eb62f75f2e77042386b8841

SHA256
cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839

SHA512
10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A58HT.tmp\cui.tmp

Filesize
1.1MB

MD5
129b8e200a6e90e813080c9ce0474063

SHA1
b5352cdae50e5ddf3eb62f75f2e77042386b8841

SHA256
cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839

SHA512
10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OFGBO.tmp\cui.exe

Filesize
719KB

MD5
71b8319158c342bb646c965ff5133c89

SHA1
40ae14bf63908b4d4d90fc3c71c34b8abe0b114a

SHA256
18cd28781d5ebf8c7765368338b497ee6d8d68ec9876af6ac0b5c093e5daab52

SHA512
b1867d34701c9f2cda848597a3b7132ff14f2bcb47cb084367bb3ba99a1a603be78f2a011433f0a39696c32d5841e7d20ff21c6afcfef3ad4d9766cb2041cebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OFGBO.tmp\cui.exe

Filesize
719KB

MD5
71b8319158c342bb646c965ff5133c89

SHA1
40ae14bf63908b4d4d90fc3c71c34b8abe0b114a

SHA256
18cd28781d5ebf8c7765368338b497ee6d8d68ec9876af6ac0b5c093e5daab52

SHA512
b1867d34701c9f2cda848597a3b7132ff14f2bcb47cb084367bb3ba99a1a603be78f2a011433f0a39696c32d5841e7d20ff21c6afcfef3ad4d9766cb2041cebc

Download Submit
\Users\Admin\AppData\Local\Temp\c11w.exe

Filesize
635KB

MD5
b4863478291f9b4a0cdfcf105f5cf51e

SHA1
6c02820f7eb26e4d68bdfa9819650d8ed799962a

SHA256
130166f508e351212e6c5a2283da2a6c564fc273d5aebd30351d7018a3d571a4

SHA512
e51dd329ac28db348625fd4743fac11f4a30d143ed6025dbdf53ce7752b230fa84bca4962838934cea99672fe932da468a6a2403c25bda674e497fad700b39f2

Download Submit
\Users\Admin\AppData\Local\Temp\is-0CAVR.tmp\ad8ee2c662b0b023eb3fcc5a946a2a10573d70e4555793614328e277e4093e3e.tmp

Filesize
1.1MB

MD5
129b8e200a6e90e813080c9ce0474063

SHA1
b5352cdae50e5ddf3eb62f75f2e77042386b8841

SHA256
cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839

SHA512
10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

Download Submit
\Users\Admin\AppData\Local\Temp\is-6BO14.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-6BO14.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-A58HT.tmp\cui.tmp

Filesize
1.1MB

MD5
129b8e200a6e90e813080c9ce0474063

SHA1
b5352cdae50e5ddf3eb62f75f2e77042386b8841

SHA256
cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839

SHA512
10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

Download Submit
\Users\Admin\AppData\Local\Temp\is-OFGBO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-OFGBO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-OFGBO.tmp\cui.exe

Filesize
719KB

MD5
71b8319158c342bb646c965ff5133c89

SHA1
40ae14bf63908b4d4d90fc3c71c34b8abe0b114a

SHA256
18cd28781d5ebf8c7765368338b497ee6d8d68ec9876af6ac0b5c093e5daab52

SHA512
b1867d34701c9f2cda848597a3b7132ff14f2bcb47cb084367bb3ba99a1a603be78f2a011433f0a39696c32d5841e7d20ff21c6afcfef3ad4d9766cb2041cebc

Download Submit
memory/436-59-0x0000000000000000-mapping.dmp

Download
memory/524-83-0x0000000000000000-mapping.dmp

Download
memory/676-72-0x0000000000000000-mapping.dmp

Download
memory/1112-68-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1112-75-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1112-65-0x0000000000000000-mapping.dmp

Download
memory/1112-78-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1620-81-0x0000000000000000-mapping.dmp

Download
memory/1620-86-0x0000000000B00000-0x0000000000BE0000-memory.dmp

Filesize
896KB

Download
memory/1692-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1692-55-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1692-57-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1692-87-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads