f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee

General

Target

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Size

332KB
MD5

5996ae5ce5b1ba79aab211992dba3d42
SHA1

4308c54a7d5ef62b379d7f171a29ab11875a9b95
SHA256

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee
SHA512

c9101394f08fc71d273b74a1d99e5400bd1f1e8120f122c26f068668c059778e7c64efe43834b15f3e44ae644a570bc5369ecc937db55d5a674604541940479d
SSDEEP

6144:k17kgF25dWLF3zkPw3VM7+nJ6qLfyi87lw01793r5i78Adcvk05/Navio2maa1/h:sAgG4QyVq6J6+f8a01h3r59Ad4/Av/rj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

pid process

4820 f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

pid	process
4820	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

description	pid	process	target process
PID 1300 set thread context of 4820	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4780 4820 WerFault.exe f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

description pid process

Token: SeDebugPrivilege 1300 f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

pid	pid_target	process	target process
4780	4820	WerFault.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

description	pid	process
Token: SeDebugPrivilege	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.execsc.exe

C:\Users\Admin\AppData\Local\Temp\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
"C:\Users\Admin\AppData\Local\Temp\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ndniufmk.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8727.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8726.tmp"
3⤵
PID:8

C:\Users\Admin\AppData\Roaming\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
C:\Users\Admin\AppData\Roaming\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
2⤵
- Executes dropped EXE
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 12
3⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4820 -ip 4820
1⤵
PID:4260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8727.tmp
Filesize
1KB

MD5
67428642a7f2d5382b362f4bbaac55b3

SHA1
0c12ec8149ad271f074b219d17d37d3187177cd5

SHA256
2898d160581b9376cb15e8b5af112bd0e52423dd02c9786c82614f0bf5418881

SHA512
780258a424f9605164b87a25c2a8934ee5e3cd8f6f27ced820d4bb0dfda84a7f8b60ecd3badaf153bd959fa2cacebcc8b7818c4e2e21f3f6a5813147151b44b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndniufmk.dll
Filesize
5KB

MD5
53b5de8a78a34126ad86df887141a803

SHA1
f14770cf51245f8be59f7a895edef036ab93b79f

SHA256
5f33e940e5eab24549a895e059f7875c9c8d38b591dab3f92f5738c558f99909

SHA512
5751c76b53299943378acf4dc42e7cfc58da59692c673f364e3dedc6718fe91cc423a66170265db262a8a31acef7749166171029bb05779c2d05817c2a5b7c6a

Download Submit
C:\Users\Admin\AppData\Roaming\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8726.tmp
Filesize
652B

MD5
05886827e01c60a62febe4747541251c

SHA1
b6987a70076a066484385408cd5c003358b4660c

SHA256
320c2268ce97bcaf8ff6907bbffe18ed2d80ea84ab57a48eaab74c76ea4d3ab5

SHA512
f65edc03ae8b79aa4fb958cd3e8f311a548c3a1737c9562c4ac7478902755e816ce6cc8ba032c07540eb4b90367f4c6bf3b01da36fb9ab5b93b739b4be08089f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ndniufmk.0.cs
Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ndniufmk.cmdline
Filesize
206B

MD5
5f2f8514902d266d953e087297d41ee9

SHA1
a03b5f9b6bd6a5f82a4d7109cf3760cc15689a03

SHA256
96738ffab722f6f742eca21b40ad185b6532f8be3200774e9c79944331ac5b6f

SHA512
84095237f51a2924ed86e6f9397199b6414f809e0718e06ea0e4c2e5b01d6a6f11c51d8a4195847a923d36d5ac72017a29cba93a3076cf30e235e0bf95d1752d

Download Submit
memory/8-136-0x0000000000000000-mapping.dmp

Download
memory/1300-132-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1300-142-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4204-133-0x0000000000000000-mapping.dmp

Download
memory/4820-140-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1300 wrote to memory of 4204	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	csc.exe
PID 1300 wrote to memory of 4204	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	csc.exe
PID 1300 wrote to memory of 4204	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	csc.exe
PID 4204 wrote to memory of 8	4204	csc.exe	cvtres.exe
PID 4204 wrote to memory of 8	4204	csc.exe	cvtres.exe
PID 4204 wrote to memory of 8	4204	csc.exe	cvtres.exe
PID 1300 wrote to memory of 4820	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 1300 wrote to memory of 4820	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 1300 wrote to memory of 4820	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 1300 wrote to memory of 4820	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 1300 wrote to memory of 4820	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 1300 wrote to memory of 4820	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 1300 wrote to memory of 4820	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 1300 wrote to memory of 4820	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 1300 wrote to memory of 4820	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 1300 wrote to memory of 4820	1300	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

Analysis

Sharing