505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445

Analysis

max time kernel
152s
max time network
173s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 05:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445.exe
Size

867KB
MD5

0f2a88c4415726b1c6b3dc7a0d20c150
SHA1

785cf99f378016e80929c4f43993a017a67ab876
SHA256

505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445
SHA512

47cb462e1635bb8638cd2e068684d6715f570d88385a1fb791863cb27c33f36644b4f5820b8c202d2f8b84535170ed23dff9a3f7af53734685fa8783593304b4
SSDEEP

24576:ThL0itnzDIWTB0zH0sIZgytWWg1Te0Dz:TpDvIOBScTtGTe0D

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2588	nuh56rgb4829gqkoomlhz.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
6012	lxyymcpqqql.exe

Loads dropped DLL 2 IoCs

pid	Process
1016	505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445.exe
1016	505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\aoykitfkdutvmi\rng	lxyymcpqqql.exe
File opened for modification	C:\Windows\aoykitfkdutvmi\rng	lxyymcpqqql.exe
File created	C:\Windows\aoykitfkdutvmi\run	lxyymcpqqql.exe
File opened for modification	C:\Windows\aoykitfkdutvmi\tst	dfwgaeonimft.exe
File opened for modification	C:\Windows\aoykitfkdutvmi\tst	lxyymcpqqql.exe
File opened for modification	C:\Windows\lxyymcpqqql.exe	nuh56rgb4829gqkoomlhz.exe
File opened for modification	C:\Windows\aoykitfkdutvmi\tst	lxyymcpqqql.exe
File created	C:\Windows\dfwgaeonimft.exe	lxyymcpqqql.exe
File created	C:\Windows\aoykitfkdutvmi\lck	lxyymcpqqql.exe
File created	C:\Windows\lxyymcpqqql.exe	nuh56rgb4829gqkoomlhz.exe
File created	C:\Windows\aoykitfkdutvmi\cfg	lxyymcpqqql.exe
File created	C:\Windows\aoykitfkdutvmi\tst	505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445.exe
File opened for modification	C:\Windows\aoykitfkdutvmi\tst	nuh56rgb4829gqkoomlhz.exe
File opened for modification	C:\Windows\aoykitfkdutvmi\	nuh56rgb4829gqkoomlhz.exe
File opened for modification	C:\Windows\aoykitfkdutvmi\lck	lxyymcpqqql.exe
File opened for modification	C:\Windows\dfwgaeonimft.exe	lxyymcpqqql.exe
File opened for modification	C:\Windows\aoykitfkdutvmi\	dfwgaeonimft.exe
File opened for modification	C:\Windows\aoykitfkdutvmi\	lxyymcpqqql.exe
File opened for modification	C:\Windows\aoykitfkdutvmi\	505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445.exe
File created	C:\Windows\aoykitfkdutvmi\lck	nuh56rgb4829gqkoomlhz.exe
File opened for modification	C:\Windows\aoykitfkdutvmi\	lxyymcpqqql.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe
4864	dfwgaeonimft.exe
3792	lxyymcpqqql.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2588	1016	505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445.exe	28
PID 1016 wrote to memory of 2588	1016	505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445.exe	28
PID 1016 wrote to memory of 2588	1016	505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445.exe	28
PID 1016 wrote to memory of 2588	1016	505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445.exe	28
PID 3792 wrote to memory of 4864	3792	lxyymcpqqql.exe	31
PID 3792 wrote to memory of 4864	3792	lxyymcpqqql.exe	31
PID 3792 wrote to memory of 4864	3792	lxyymcpqqql.exe	31
PID 3792 wrote to memory of 4864	3792	lxyymcpqqql.exe	31
PID 2588 wrote to memory of 6012	2588	nuh56rgb4829gqkoomlhz.exe	32
PID 2588 wrote to memory of 6012	2588	nuh56rgb4829gqkoomlhz.exe	32
PID 2588 wrote to memory of 6012	2588	nuh56rgb4829gqkoomlhz.exe	32
PID 2588 wrote to memory of 6012	2588	nuh56rgb4829gqkoomlhz.exe	32

C:\Users\Admin\AppData\Local\Temp\505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445.exe
"C:\Users\Admin\AppData\Local\Temp\505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\nuh56rgb4829gqkoomlhz.exe
  "C:\Users\Admin\AppData\Local\Temp\nuh56rgb4829gqkoomlhz.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\lxyymcpqqql.exe
    "C:\Windows\lxyymcpqqql.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:6012

C:\Windows\lxyymcpqqql.exe
C:\Windows\lxyymcpqqql.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\dfwgaeonimft.exe
  WATCHDOGPROC "c:\windows\lxyymcpqqql.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nuh56rgb4829gqkoomlhz.exe

Filesize
867KB

MD5
0f2a88c4415726b1c6b3dc7a0d20c150

SHA1
785cf99f378016e80929c4f43993a017a67ab876

SHA256
505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445

SHA512
47cb462e1635bb8638cd2e068684d6715f570d88385a1fb791863cb27c33f36644b4f5820b8c202d2f8b84535170ed23dff9a3f7af53734685fa8783593304b4

Download Submit
C:\Windows\aoykitfkdutvmi\rng

Filesize
4B

MD5
2a92885230e214350b4fa1241229a026

SHA1
c1f2386c62e17190100a2908216ad3c324c38fe9

SHA256
5cdec5d34b5e22aaa37bb0d30be4bea3333f71739f6517e070c46552789f6774

SHA512
e0ea9dbcd111a927914e1062173fccce2e8253953b2e7e28c38fdd1f29d1ebc7806606345c6a353314f8d3d48a611c7a1f3a06d9ec3774ff8772de75332ce638

Download Submit
C:\Windows\aoykitfkdutvmi\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\aoykitfkdutvmi\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\aoykitfkdutvmi\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\aoykitfkdutvmi\tst

Filesize
10B

MD5
d9e0d258df86c6859951b803fa0e539c

SHA1
d04df79fdffa92605bdc478f4247fa2b55fceb7f

SHA256
e71eb9e1b484bed5dc20e32acf079f979aec46863078331771912423e08b564e

SHA512
8c0dbe178f6769dac6573afea6ad1c4b3caa2443276abbcbe6cecc4698b88174963a83ad4952966526c25548b2f266dddb800d0b778b8f76327367aa7562537e

Download Submit
C:\Windows\dfwgaeonimft.exe

Filesize
867KB

MD5
0f2a88c4415726b1c6b3dc7a0d20c150

SHA1
785cf99f378016e80929c4f43993a017a67ab876

SHA256
505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445

SHA512
47cb462e1635bb8638cd2e068684d6715f570d88385a1fb791863cb27c33f36644b4f5820b8c202d2f8b84535170ed23dff9a3f7af53734685fa8783593304b4

Download Submit
C:\Windows\lxyymcpqqql.exe

Filesize
867KB

MD5
0f2a88c4415726b1c6b3dc7a0d20c150

SHA1
785cf99f378016e80929c4f43993a017a67ab876

SHA256
505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445

SHA512
47cb462e1635bb8638cd2e068684d6715f570d88385a1fb791863cb27c33f36644b4f5820b8c202d2f8b84535170ed23dff9a3f7af53734685fa8783593304b4

Download Submit
C:\Windows\lxyymcpqqql.exe

Filesize
867KB

MD5
0f2a88c4415726b1c6b3dc7a0d20c150

SHA1
785cf99f378016e80929c4f43993a017a67ab876

SHA256
505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445

SHA512
47cb462e1635bb8638cd2e068684d6715f570d88385a1fb791863cb27c33f36644b4f5820b8c202d2f8b84535170ed23dff9a3f7af53734685fa8783593304b4

Download Submit
\??\c:\users\admin\appdata\local\temp\nuh56rgb4829gqkoomlhz.exe

Filesize
867KB

MD5
0f2a88c4415726b1c6b3dc7a0d20c150

SHA1
785cf99f378016e80929c4f43993a017a67ab876

SHA256
505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445

SHA512
47cb462e1635bb8638cd2e068684d6715f570d88385a1fb791863cb27c33f36644b4f5820b8c202d2f8b84535170ed23dff9a3f7af53734685fa8783593304b4

Download Submit
\??\c:\windows\lxyymcpqqql.exe

Filesize
867KB

MD5
0f2a88c4415726b1c6b3dc7a0d20c150

SHA1
785cf99f378016e80929c4f43993a017a67ab876

SHA256
505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445

SHA512
47cb462e1635bb8638cd2e068684d6715f570d88385a1fb791863cb27c33f36644b4f5820b8c202d2f8b84535170ed23dff9a3f7af53734685fa8783593304b4

Download Submit
\Users\Admin\AppData\Local\Temp\nuh56rgb4829gqkoomlhz.exe

Filesize
867KB

MD5
0f2a88c4415726b1c6b3dc7a0d20c150

SHA1
785cf99f378016e80929c4f43993a017a67ab876

SHA256
505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445

SHA512
47cb462e1635bb8638cd2e068684d6715f570d88385a1fb791863cb27c33f36644b4f5820b8c202d2f8b84535170ed23dff9a3f7af53734685fa8783593304b4

Download Submit
\Users\Admin\AppData\Local\Temp\nuh56rgb4829gqkoomlhz.exe

Filesize
867KB

MD5
0f2a88c4415726b1c6b3dc7a0d20c150

SHA1
785cf99f378016e80929c4f43993a017a67ab876

SHA256
505c53553e6e054da82965b85157f8adf7ab89abe2c6c8925157d3cf64aed445

SHA512
47cb462e1635bb8638cd2e068684d6715f570d88385a1fb791863cb27c33f36644b4f5820b8c202d2f8b84535170ed23dff9a3f7af53734685fa8783593304b4

Download Submit
memory/2588-59-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download