75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08

General

Target

75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe
Size

249KB
MD5

0dc2ef41474a7c3ab621e11107c48f20
SHA1

e8f6fd4275b415bfd1d940cafaae13da7511fbad
SHA256

75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08
SHA512

54df78dd25fec69cb999c87341c823cddd4e3f7e4211958c022d42bc82c56ae239ee88b494f176067f3e11b1bb77edb3cbd8de7b5c2af32ca08f65f1e7442a9c
SSDEEP

6144:xyH7xOc6H5c6HcT66vlmA4KmNNT/5BD6HtOIF3uUAGdkabk0i5dArDySa:xa2d/0tuUA3T5aHyh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1008	svchost.exe
1704	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe
1552	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1008	svchost.exe
1008	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1704	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe
1704	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe
1704	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1008	1076	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe	28
PID 1076 wrote to memory of 1008	1076	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe	28
PID 1076 wrote to memory of 1008	1076	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe	28
PID 1076 wrote to memory of 1008	1076	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe	28
PID 1008 wrote to memory of 1704	1008	svchost.exe	29
PID 1008 wrote to memory of 1704	1008	svchost.exe	29
PID 1008 wrote to memory of 1704	1008	svchost.exe	29
PID 1008 wrote to memory of 1704	1008	svchost.exe	29
PID 1704 wrote to memory of 1504	1704	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe	31
PID 1704 wrote to memory of 1504	1704	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe	31
PID 1704 wrote to memory of 1504	1704	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe	31
PID 1704 wrote to memory of 1504	1704	75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe	31

C:\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe
"C:\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe
    "C:\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:1504

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:1552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe

Filesize
214KB

MD5
3ff3e4a873cb1eb481bc9e925d715fbb

SHA1
8a3614a8e8d60e5d1d5742e1b4a04be07e38eb74

SHA256
2a1f82a08ba90fa972f92da3799259a85991fbcfe7e287623d64efcb663507b5

SHA512
1189d2d5c00ef04cb67ca2603354bacc2324213c35ca6b6256a15ad299505e0d868e6b4f825288a38cad661350c9e95b33600bf306b36592401d72cf7586f437

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe

Filesize
214KB

MD5
3ff3e4a873cb1eb481bc9e925d715fbb

SHA1
8a3614a8e8d60e5d1d5742e1b4a04be07e38eb74

SHA256
2a1f82a08ba90fa972f92da3799259a85991fbcfe7e287623d64efcb663507b5

SHA512
1189d2d5c00ef04cb67ca2603354bacc2324213c35ca6b6256a15ad299505e0d868e6b4f825288a38cad661350c9e95b33600bf306b36592401d72cf7586f437

Download Submit
\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe

Filesize
214KB

MD5
3ff3e4a873cb1eb481bc9e925d715fbb

SHA1
8a3614a8e8d60e5d1d5742e1b4a04be07e38eb74

SHA256
2a1f82a08ba90fa972f92da3799259a85991fbcfe7e287623d64efcb663507b5

SHA512
1189d2d5c00ef04cb67ca2603354bacc2324213c35ca6b6256a15ad299505e0d868e6b4f825288a38cad661350c9e95b33600bf306b36592401d72cf7586f437

Download Submit
memory/1504-64-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download
memory/1704-61-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing