749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

General

Target

749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
Size

928KB
MD5

284b37c4771f4dcf91a37348014e04ff
SHA1

211e5aa4cc0451aa252660576fc5c6a1961667fd
SHA256

749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913
SHA512

dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568
SSDEEP

24576:+TSkT7/hjVX1uKLGLY27AX1Wh6qC/UxPpXWhi:Evl3LG0h1KZkwPhW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

oiesczh.exeoiesczh.exe

pid process

1028 oiesczh.exe
4392 oiesczh.exe
Drops file in System32 directory 1 IoCs

Processes:

oiesczh.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\oiesczh.exe.log oiesczh.exe

pid	process
1028	oiesczh.exe
4392	oiesczh.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\oiesczh.exe.log	oiesczh.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exeoiesczh.exe

description	pid	process	target process
PID 3700 set thread context of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1028 set thread context of 4392	1028	oiesczh.exe	oiesczh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe

pid	process
4208	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
4208	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exeoiesczh.exe

description	pid	process	target process
PID 3700 wrote to memory of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 3700 wrote to memory of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 3700 wrote to memory of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 3700 wrote to memory of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 3700 wrote to memory of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 3700 wrote to memory of 4208	3700	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe	749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
PID 1028 wrote to memory of 4392	1028	oiesczh.exe	oiesczh.exe
PID 1028 wrote to memory of 4392	1028	oiesczh.exe	oiesczh.exe
PID 1028 wrote to memory of 4392	1028	oiesczh.exe	oiesczh.exe
PID 1028 wrote to memory of 4392	1028	oiesczh.exe	oiesczh.exe
PID 1028 wrote to memory of 4392	1028	oiesczh.exe	oiesczh.exe
PID 1028 wrote to memory of 4392	1028	oiesczh.exe	oiesczh.exe

C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
"C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe
"C:\Users\Admin\AppData\Local\Temp\749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208

C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
"C:\Users\Admin\AppData\Local\Temp\oiesczh.exe"
2⤵
- Executes dropped EXE
PID:4392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
Filesize
928KB

MD5
284b37c4771f4dcf91a37348014e04ff

SHA1
211e5aa4cc0451aa252660576fc5c6a1961667fd

SHA256
749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

SHA512
dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
Filesize
928KB

MD5
284b37c4771f4dcf91a37348014e04ff

SHA1
211e5aa4cc0451aa252660576fc5c6a1961667fd

SHA256
749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

SHA512
dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
Filesize
928KB

MD5
284b37c4771f4dcf91a37348014e04ff

SHA1
211e5aa4cc0451aa252660576fc5c6a1961667fd

SHA256
749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

SHA512
dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

Download Submit
memory/1028-152-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/1028-144-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/1028-143-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/3700-132-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3700-139-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4208-137-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4208-140-0x0000000000FB0000-0x00000000011FB000-memory.dmp

Filesize
2.3MB

Download
memory/4208-138-0x0000000000D90000-0x0000000000FAA000-memory.dmp

Filesize
2.1MB

Download
memory/4208-134-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4208-133-0x0000000000000000-mapping.dmp

Download
memory/4392-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads