a327de9eff4f17342a8c1b22763f7e40bcab76cbb63cc80f2a3cf4f3c23e4fb5

General

Target

a327de9eff4f17342a8c1b22763f7e40bcab76cbb63cc80f2a3cf4f3c23e4fb5.exe
Size

876KB
MD5

24632cbe134f607d5ebee7f6e0196f22
SHA1

c7eb43853ab2a4cd16f5a84fe5efb08a0228cf1c
SHA256

a327de9eff4f17342a8c1b22763f7e40bcab76cbb63cc80f2a3cf4f3c23e4fb5
SHA512

34f10502bb53630266511273fccf9982e5273672bad20ee9c76171603a6609172e222ec1bccbc4600426e741be8015481c15ab9eaebc264f01da8499ffe6dc48
SSDEEP

24576:yKQzqnmbdpvvaGYc//////XTvz4OnfR/SP6G8owFpScu:y6mvuc//////XTlfBSP38PPSd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1992	xia8.exe
540	IE9000ÍøÖ·µ¼º½°æ.exe
2444	xia8.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	xia8.exe
2444	xia8.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2316	2444	WerFault.exe	92
3084	2444	WerFault.exe	92

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 220	952	a327de9eff4f17342a8c1b22763f7e40bcab76cbb63cc80f2a3cf4f3c23e4fb5.exe	82
PID 952 wrote to memory of 220	952	a327de9eff4f17342a8c1b22763f7e40bcab76cbb63cc80f2a3cf4f3c23e4fb5.exe	82
PID 952 wrote to memory of 220	952	a327de9eff4f17342a8c1b22763f7e40bcab76cbb63cc80f2a3cf4f3c23e4fb5.exe	82
PID 952 wrote to memory of 204	952	a327de9eff4f17342a8c1b22763f7e40bcab76cbb63cc80f2a3cf4f3c23e4fb5.exe	83
PID 952 wrote to memory of 204	952	a327de9eff4f17342a8c1b22763f7e40bcab76cbb63cc80f2a3cf4f3c23e4fb5.exe	83
PID 952 wrote to memory of 204	952	a327de9eff4f17342a8c1b22763f7e40bcab76cbb63cc80f2a3cf4f3c23e4fb5.exe	83
PID 220 wrote to memory of 1992	220	cmd.exe	86
PID 220 wrote to memory of 1992	220	cmd.exe	86
PID 220 wrote to memory of 1992	220	cmd.exe	86
PID 204 wrote to memory of 540	204	cmd.exe	87
PID 204 wrote to memory of 540	204	cmd.exe	87
PID 204 wrote to memory of 540	204	cmd.exe	87
PID 1992 wrote to memory of 1972	1992	xia8.exe	90
PID 1992 wrote to memory of 1972	1992	xia8.exe	90
PID 1992 wrote to memory of 1972	1992	xia8.exe	90
PID 1972 wrote to memory of 2444	1972	cmd.exe	92
PID 1972 wrote to memory of 2444	1972	cmd.exe	92
PID 1972 wrote to memory of 2444	1972	cmd.exe	92
PID 2444 wrote to memory of 2316	2444	xia8.exe	94
PID 2444 wrote to memory of 2316	2444	xia8.exe	94
PID 2444 wrote to memory of 2316	2444	xia8.exe	94

C:\Users\Admin\AppData\Local\Temp\a327de9eff4f17342a8c1b22763f7e40bcab76cbb63cc80f2a3cf4f3c23e4fb5.exe
"C:\Users\Admin\AppData\Local\Temp\a327de9eff4f17342a8c1b22763f7e40bcab76cbb63cc80f2a3cf4f3c23e4fb5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\xia8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\xia8.exe
    C:\Users\Admin\AppData\Local\Temp\xia8.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\xia8.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\xia8.exe
        
        C:\Users\Admin\AppData\Local\Temp\xia8.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 248
        6⤵
        Program crash
        
        PID:2316
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 248
        6⤵
        Program crash
        
        PID:3084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\IE9000ÍøÖ·µ¼º½°æ.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:204
- - C:\Users\Admin\AppData\Local\Temp\IE9000ÍøÖ·µ¼º½°æ.exe
    C:\Users\Admin\AppData\Local\Temp\IE9000ÍøÖ·µ¼º½°æ.exe
    3⤵
    - Executes dropped EXE
    PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2444 -ip 2444
1⤵
PID:3440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IE9000ÍøÖ·µ¼º½°æ.exe

Filesize
438KB

MD5
15b130a04eb5f8a09c8f2a736e1fcdd9

SHA1
cb3f8355cbd5001fee158f1457cb229c2d25df79

SHA256
8f94813e8307927d4b11046ea4a27043ca3957cf97c6ee97e3f5979f09de20ae

SHA512
eceeebbb00753a1972ba794d91be4f18d9953312bfebffd711fa73c61cc48af4cce41b82900f13c9c5a4c009db9e8b325f90d09be083987c68bb81fee2a3d86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IE9000ÍøÖ·µ¼º½°æ.exe

Filesize
438KB

MD5
15b130a04eb5f8a09c8f2a736e1fcdd9

SHA1
cb3f8355cbd5001fee158f1457cb229c2d25df79

SHA256
8f94813e8307927d4b11046ea4a27043ca3957cf97c6ee97e3f5979f09de20ae

SHA512
eceeebbb00753a1972ba794d91be4f18d9953312bfebffd711fa73c61cc48af4cce41b82900f13c9c5a4c009db9e8b325f90d09be083987c68bb81fee2a3d86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chen.chen

Filesize
2KB

MD5
607d3a9931d3d39fb060a3d2d99b79a1

SHA1
75ad7adbd072ae6543c7df16d55b546c0e4ad49c

SHA256
c70b523991d08456b8a420d24ddc651bf3d1ac44c26e99e262377adecee3a068

SHA512
ee22fafeaa6aeece32dc8e2b78f49a94e260eb6c669c16dbd249c403d446c3ff9712e0b37d8c65738c7f8dd38fe39dfc455b6d37d23bd8fab9ff06761b903f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chen.juan

Filesize
1KB

MD5
1850394c24660425451e07664295f097

SHA1
dce43a112ec24fc153eaaaf69435fa55d7f4652d

SHA256
d2101bd0900a705dae92d65fb896c0b1ebea346a24744d5f7e31c2926208daff

SHA512
faa2554d2e0f15a3ba204805be6918f928cfe06936bd0c39d2a2d632787e38068ac5e20a627867b3102232c9a4d4d861cfa58d6ce80c40cd43166b1c9d03d9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xia8.exe

Filesize
12KB

MD5
d9cd695f66e431f634aa45174af44ae0

SHA1
5497f589d1e3c2a2d959e192f19a97385dd1f465

SHA256
bc8e84b01565992756360c48482622dd0c4ed9337259672a0e141e0a83f0f639

SHA512
33bf16d6158ed2e97d011675b62a4a425d41b394ce129bd74198d4e76c7b4ccfc0bb5bb01d7ec195dab51f8be379aec363c96f870b320244c2de2a9faccc5cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\xia8.exe

Filesize
12KB

MD5
d9cd695f66e431f634aa45174af44ae0

SHA1
5497f589d1e3c2a2d959e192f19a97385dd1f465

SHA256
bc8e84b01565992756360c48482622dd0c4ed9337259672a0e141e0a83f0f639

SHA512
33bf16d6158ed2e97d011675b62a4a425d41b394ce129bd74198d4e76c7b4ccfc0bb5bb01d7ec195dab51f8be379aec363c96f870b320244c2de2a9faccc5cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\xia8.exe

Filesize
12KB

MD5
d9cd695f66e431f634aa45174af44ae0

SHA1
5497f589d1e3c2a2d959e192f19a97385dd1f465

SHA256
bc8e84b01565992756360c48482622dd0c4ed9337259672a0e141e0a83f0f639

SHA512
33bf16d6158ed2e97d011675b62a4a425d41b394ce129bd74198d4e76c7b4ccfc0bb5bb01d7ec195dab51f8be379aec363c96f870b320244c2de2a9faccc5cee

Download Submit
memory/204-133-0x0000000000000000-mapping.dmp

Download
memory/220-132-0x0000000000000000-mapping.dmp

Download
memory/540-138-0x0000000000000000-mapping.dmp

Download
memory/1972-142-0x0000000000000000-mapping.dmp

Download
memory/1992-137-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1992-134-0x0000000000000000-mapping.dmp

Download
memory/2316-148-0x0000000000000000-mapping.dmp

Download
memory/2444-143-0x0000000000000000-mapping.dmp

Download
memory/2444-145-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2444-147-0x0000000010000000-0x0000000010002000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads