b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84

General

Target

b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe
Size

1.1MB
MD5

7123c82bfad22d8145a252293e297e69
SHA1

9f2c881f641dd129d45c7924e7977d15d5e57852
SHA256

b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84
SHA512

025435f11fac821432fb1d3c86967c6aa1cfcff4ea08e745bfb699312b714dc0b509fd8fb6bf27f7a146894d7f4a66bc0480c70c39488ff0ebb2ae727c6affc6
SSDEEP

24576:JxGaj5DtzSTPMDZOyu95K2taqpWfrNgPN4pyMSmjmQ95cKtg+DWfrNJdNnpyvAf:CKNtu1r55tof+jMSmj/5PtKfHAvAf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3784	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp
3932	cui.exe
456	cui.tmp
2108	c11w.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3784	4980	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe	81
PID 4980 wrote to memory of 3784	4980	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe	81
PID 4980 wrote to memory of 3784	4980	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe	81
PID 3784 wrote to memory of 3932	3784	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	82
PID 3784 wrote to memory of 3932	3784	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	82
PID 3784 wrote to memory of 3932	3784	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	82
PID 3932 wrote to memory of 456	3932	cui.exe	83
PID 3932 wrote to memory of 456	3932	cui.exe	83
PID 3932 wrote to memory of 456	3932	cui.exe	83
PID 3784 wrote to memory of 2108	3784	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	84
PID 3784 wrote to memory of 2108	3784	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	84
PID 3784 wrote to memory of 2108	3784	b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp	84
PID 2108 wrote to memory of 1244	2108	c11w.exe	86
PID 2108 wrote to memory of 1244	2108	c11w.exe	86
PID 2108 wrote to memory of 1244	2108	c11w.exe	86

C:\Users\Admin\AppData\Local\Temp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe
"C:\Users\Admin\AppData\Local\Temp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\is-UATEM.tmp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UATEM.tmp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp" /SL5="$8005E,776043,119296,C:\Users\Admin\AppData\Local\Temp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Users\Admin\AppData\Local\Temp\is-A3OP0.tmp\cui.exe
    "C:\Users\Admin\AppData\Local\Temp\is-A3OP0.tmp\cui.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Users\Admin\AppData\Local\Temp\is-7MS1O.tmp\cui.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7MS1O.tmp\cui.tmp" /SL5="$3002E,352315,119296,C:\Users\Admin\AppData\Local\Temp\is-A3OP0.tmp\cui.exe"
      4⤵
      Executes dropped EXE
      PID:456
- - C:\Users\Admin\AppData\Local\Temp\c11w.exe
    "C:\Users\Admin\AppData\Local\Temp\c11w.exe" -cid=CID -affid=AFFID -sid= -skipifinstalled=1 -delay=0 -ref= -merchantcid= -pubcid= -componentid=200081 -exename="compete.exe" -downloadurl="" -ui=0 -suppress= -ch=0 -enablelog=0 -single_version=101016033930
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\CScript.exe
      C:\Windows\system32\CScript.exe C:\Users\Admin\AppData\Local\Temp\hi.vbs //e:vbscript //NOLOGO
      4⤵
      PID:1244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c11w.exe

Filesize
635KB

MD5
b4863478291f9b4a0cdfcf105f5cf51e

SHA1
6c02820f7eb26e4d68bdfa9819650d8ed799962a

SHA256
130166f508e351212e6c5a2283da2a6c564fc273d5aebd30351d7018a3d571a4

SHA512
e51dd329ac28db348625fd4743fac11f4a30d143ed6025dbdf53ce7752b230fa84bca4962838934cea99672fe932da468a6a2403c25bda674e497fad700b39f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c11w.exe

Filesize
635KB

MD5
b4863478291f9b4a0cdfcf105f5cf51e

SHA1
6c02820f7eb26e4d68bdfa9819650d8ed799962a

SHA256
130166f508e351212e6c5a2283da2a6c564fc273d5aebd30351d7018a3d571a4

SHA512
e51dd329ac28db348625fd4743fac11f4a30d143ed6025dbdf53ce7752b230fa84bca4962838934cea99672fe932da468a6a2403c25bda674e497fad700b39f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hi.vbs

Filesize
582B

MD5
e1911b107027b28bcce4c94462521288

SHA1
eb47ef9472aaca5ff9772877211233aa2741412b

SHA256
cc3f956bab15193c3968dfeeee47a0c477156a311d01fbb04ed6f06602bc6c6d

SHA512
f7f5caa42877d73b8a8b49eb9c367c9aa993a0f4508f6ce715e1934b5eb4a616cc672a498ebcde2315c2eabce2952d764605c13c728238c1ae322eb1b51a04fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MS1O.tmp\cui.tmp

Filesize
1.1MB

MD5
129b8e200a6e90e813080c9ce0474063

SHA1
b5352cdae50e5ddf3eb62f75f2e77042386b8841

SHA256
cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839

SHA512
10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A3OP0.tmp\cui.exe

Filesize
719KB

MD5
71b8319158c342bb646c965ff5133c89

SHA1
40ae14bf63908b4d4d90fc3c71c34b8abe0b114a

SHA256
18cd28781d5ebf8c7765368338b497ee6d8d68ec9876af6ac0b5c093e5daab52

SHA512
b1867d34701c9f2cda848597a3b7132ff14f2bcb47cb084367bb3ba99a1a603be78f2a011433f0a39696c32d5841e7d20ff21c6afcfef3ad4d9766cb2041cebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A3OP0.tmp\cui.exe

Filesize
719KB

MD5
71b8319158c342bb646c965ff5133c89

SHA1
40ae14bf63908b4d4d90fc3c71c34b8abe0b114a

SHA256
18cd28781d5ebf8c7765368338b497ee6d8d68ec9876af6ac0b5c093e5daab52

SHA512
b1867d34701c9f2cda848597a3b7132ff14f2bcb47cb084367bb3ba99a1a603be78f2a011433f0a39696c32d5841e7d20ff21c6afcfef3ad4d9766cb2041cebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UATEM.tmp\b00a75c512f6b22ba19d14af7e92de6c7339a221de096454c7c3f31c54659d84.tmp

Filesize
1.1MB

MD5
129b8e200a6e90e813080c9ce0474063

SHA1
b5352cdae50e5ddf3eb62f75f2e77042386b8841

SHA256
cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839

SHA512
10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

Download Submit
memory/2108-151-0x0000000000CD0000-0x0000000000DB0000-memory.dmp

Filesize
896KB

Download
memory/2108-152-0x0000000000CD0000-0x0000000000DB0000-memory.dmp

Filesize
896KB

Download
memory/3932-139-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3932-145-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3932-143-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4980-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4980-136-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4980-153-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads