b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84

Analysis

max time kernel
44s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe
Size

1.1MB
MD5

7123c82bfad22d8145a252293e297e69
SHA1

9f2c881f641dd129d45c7924e7977d15d5e57852
SHA256

b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84
SHA512

025435f11fac821432fb1d3c86967c6aa1cfcff4ea08e745bfb699312b714dc0b509fd8fb6bf27f7a146894d7f4a66bc0480c70c39488ff0ebb2ae727c6affc6
SSDEEP

24576:JxGaj5DtzSTPMDZOyu95K2taqpWfrNgPN4pyMSmjmQ95cKtg+DWfrNJdNnpyvAf:CKNtu1r55tof+jMSmj/5PtKfHAvAf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp
1160	cui.exe
524	cui.tmp
1548	c11w.exe

Loads dropped DLL 8 IoCs

pid	Process
1984	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe
860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp
860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp
860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp
1160	cui.exe
524	cui.tmp
524	cui.tmp
860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 860	1984	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe	28
PID 1984 wrote to memory of 860	1984	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe	28
PID 1984 wrote to memory of 860	1984	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe	28
PID 1984 wrote to memory of 860	1984	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe	28
PID 1984 wrote to memory of 860	1984	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe	28
PID 1984 wrote to memory of 860	1984	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe	28
PID 1984 wrote to memory of 860	1984	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe	28
PID 860 wrote to memory of 1160	860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	29
PID 860 wrote to memory of 1160	860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	29
PID 860 wrote to memory of 1160	860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	29
PID 860 wrote to memory of 1160	860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	29
PID 860 wrote to memory of 1160	860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	29
PID 860 wrote to memory of 1160	860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	29
PID 860 wrote to memory of 1160	860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	29
PID 1160 wrote to memory of 524	1160	cui.exe	30
PID 1160 wrote to memory of 524	1160	cui.exe	30
PID 1160 wrote to memory of 524	1160	cui.exe	30
PID 1160 wrote to memory of 524	1160	cui.exe	30
PID 1160 wrote to memory of 524	1160	cui.exe	30
PID 1160 wrote to memory of 524	1160	cui.exe	30
PID 1160 wrote to memory of 524	1160	cui.exe	30
PID 860 wrote to memory of 1548	860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	32
PID 860 wrote to memory of 1548	860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	32
PID 860 wrote to memory of 1548	860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	32
PID 860 wrote to memory of 1548	860	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	32
PID 1548 wrote to memory of 1680	1548	c11w.exe	34
PID 1548 wrote to memory of 1680	1548	c11w.exe	34
PID 1548 wrote to memory of 1680	1548	c11w.exe	34
PID 1548 wrote to memory of 1680	1548	c11w.exe	34

C:\Users\Admin\AppData\Local\Temp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe
"C:\Users\Admin\AppData\Local\Temp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\is-HCDO6.tmp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HCDO6.tmp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp" /SL5="$80124,776043,119296,C:\Users\Admin\AppData\Local\Temp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\is-7MA0T.tmp\cui.exe
    "C:\Users\Admin\AppData\Local\Temp\is-7MA0T.tmp\cui.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\is-MS7UN.tmp\cui.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MS7UN.tmp\cui.tmp" /SL5="$10180,352315,119296,C:\Users\Admin\AppData\Local\Temp\is-7MA0T.tmp\cui.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:524
- - C:\Users\Admin\AppData\Local\Temp\c11w.exe
    "C:\Users\Admin\AppData\Local\Temp\c11w.exe" -cid=CID -affid=AFFID -sid= -skipifinstalled=1 -delay=0 -ref= -merchantcid= -pubcid= -componentid=200081 -exename="compete.exe" -downloadurl="" -ui=0 -suppress= -ch=0 -enablelog=0 -single_version=101016033930
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\SysWOW64\CScript.exe
      C:\Windows\system32\CScript.exe C:\Users\Admin\AppData\Local\Temp\hi.vbs //e:vbscript //NOLOGO
      4⤵
      PID:1680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c11w.exe

Filesize
635KB

MD5
b4863478291f9b4a0cdfcf105f5cf51e

SHA1
6c02820f7eb26e4d68bdfa9819650d8ed799962a

SHA256
130166f508e351212e6c5a2283da2a6c564fc273d5aebd30351d7018a3d571a4

SHA512
e51dd329ac28db348625fd4743fac11f4a30d143ed6025dbdf53ce7752b230fa84bca4962838934cea99672fe932da468a6a2403c25bda674e497fad700b39f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c11w.exe

Filesize
635KB

MD5
b4863478291f9b4a0cdfcf105f5cf51e

SHA1
6c02820f7eb26e4d68bdfa9819650d8ed799962a

SHA256
130166f508e351212e6c5a2283da2a6c564fc273d5aebd30351d7018a3d571a4

SHA512
e51dd329ac28db348625fd4743fac11f4a30d143ed6025dbdf53ce7752b230fa84bca4962838934cea99672fe932da468a6a2403c25bda674e497fad700b39f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hi.vbs

Filesize
582B

MD5
e1911b107027b28bcce4c94462521288

SHA1
eb47ef9472aaca5ff9772877211233aa2741412b

SHA256
cc3f956bab15193c3968dfeeee47a0c477156a311d01fbb04ed6f06602bc6c6d

SHA512
f7f5caa42877d73b8a8b49eb9c367c9aa993a0f4508f6ce715e1934b5eb4a616cc672a498ebcde2315c2eabce2952d764605c13c728238c1ae322eb1b51a04fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MA0T.tmp\cui.exe

Filesize
719KB

MD5
71b8319158c342bb646c965ff5133c89

SHA1
40ae14bf63908b4d4d90fc3c71c34b8abe0b114a

SHA256
18cd28781d5ebf8c7765368338b497ee6d8d68ec9876af6ac0b5c093e5daab52

SHA512
b1867d34701c9f2cda848597a3b7132ff14f2bcb47cb084367bb3ba99a1a603be78f2a011433f0a39696c32d5841e7d20ff21c6afcfef3ad4d9766cb2041cebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MA0T.tmp\cui.exe

Filesize
719KB

MD5
71b8319158c342bb646c965ff5133c89

SHA1
40ae14bf63908b4d4d90fc3c71c34b8abe0b114a

SHA256
18cd28781d5ebf8c7765368338b497ee6d8d68ec9876af6ac0b5c093e5daab52

SHA512
b1867d34701c9f2cda848597a3b7132ff14f2bcb47cb084367bb3ba99a1a603be78f2a011433f0a39696c32d5841e7d20ff21c6afcfef3ad4d9766cb2041cebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HCDO6.tmp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp

Filesize
1.1MB

MD5
129b8e200a6e90e813080c9ce0474063

SHA1
b5352cdae50e5ddf3eb62f75f2e77042386b8841

SHA256
cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839

SHA512
10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MS7UN.tmp\cui.tmp

Filesize
1.1MB

MD5
129b8e200a6e90e813080c9ce0474063

SHA1
b5352cdae50e5ddf3eb62f75f2e77042386b8841

SHA256
cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839

SHA512
10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

Download Submit
\Users\Admin\AppData\Local\Temp\c11w.exe

Filesize
635KB

MD5
b4863478291f9b4a0cdfcf105f5cf51e

SHA1
6c02820f7eb26e4d68bdfa9819650d8ed799962a

SHA256
130166f508e351212e6c5a2283da2a6c564fc273d5aebd30351d7018a3d571a4

SHA512
e51dd329ac28db348625fd4743fac11f4a30d143ed6025dbdf53ce7752b230fa84bca4962838934cea99672fe932da468a6a2403c25bda674e497fad700b39f2

Download Submit
\Users\Admin\AppData\Local\Temp\is-7MA0T.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-7MA0T.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-7MA0T.tmp\cui.exe

Filesize
719KB

MD5
71b8319158c342bb646c965ff5133c89

SHA1
40ae14bf63908b4d4d90fc3c71c34b8abe0b114a

SHA256
18cd28781d5ebf8c7765368338b497ee6d8d68ec9876af6ac0b5c093e5daab52

SHA512
b1867d34701c9f2cda848597a3b7132ff14f2bcb47cb084367bb3ba99a1a603be78f2a011433f0a39696c32d5841e7d20ff21c6afcfef3ad4d9766cb2041cebc

Download Submit
\Users\Admin\AppData\Local\Temp\is-HCDO6.tmp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp

Filesize
1.1MB

MD5
129b8e200a6e90e813080c9ce0474063

SHA1
b5352cdae50e5ddf3eb62f75f2e77042386b8841

SHA256
cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839

SHA512
10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

Download Submit
\Users\Admin\AppData\Local\Temp\is-MS7UN.tmp\cui.tmp

Filesize
1.1MB

MD5
129b8e200a6e90e813080c9ce0474063

SHA1
b5352cdae50e5ddf3eb62f75f2e77042386b8841

SHA256
cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839

SHA512
10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

Download Submit
\Users\Admin\AppData\Local\Temp\is-P8RCB.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-P8RCB.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1160-77-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-68-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1548-85-0x0000000000260000-0x0000000000340000-memory.dmp

Filesize
896KB

Download
memory/1984-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/1984-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1984-55-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1984-86-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads