8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24

General

Target

8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe
Size

1.3MB
MD5

9c648c3efce5d25e2730b34991def1eb
SHA1

5afb446b509460c76d1c95327ec54609a5c0527b
SHA256

8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24
SHA512

10e9f901606a633fd7b2a0691eb916a700997029e95efed19425e853d71626ffb43e925099c136ad22146fedbb92b354af336ed8e935be742e32c5cfc66cd0b3
SSDEEP

12288:50SkPW3ydDuYyYeHRc4Cwu2gkcRpkAI+XuUEvHNot5H3mWjc:KLu3yRuYLMc4CwJUKgMvHu5dj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1736	vstart.exe

Deletes itself 1 IoCs

pid	Process
1412	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe
2032	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_vstart.exe	vstart.exe
File opened for modification	C:\Windows\SysWOW64\_vstart.exe	vstart.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 960	1736	vstart.exe	28

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\vstart.exe	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\vstart.exe	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1736	2032	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	27
PID 2032 wrote to memory of 1736	2032	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	27
PID 2032 wrote to memory of 1736	2032	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	27
PID 2032 wrote to memory of 1736	2032	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	27
PID 1736 wrote to memory of 960	1736	vstart.exe	28
PID 1736 wrote to memory of 960	1736	vstart.exe	28
PID 1736 wrote to memory of 960	1736	vstart.exe	28
PID 1736 wrote to memory of 960	1736	vstart.exe	28
PID 1736 wrote to memory of 960	1736	vstart.exe	28
PID 1736 wrote to memory of 960	1736	vstart.exe	28
PID 1736 wrote to memory of 852	1736	vstart.exe	29
PID 1736 wrote to memory of 852	1736	vstart.exe	29
PID 1736 wrote to memory of 852	1736	vstart.exe	29
PID 1736 wrote to memory of 852	1736	vstart.exe	29
PID 2032 wrote to memory of 1412	2032	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	30
PID 2032 wrote to memory of 1412	2032	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	30
PID 2032 wrote to memory of 1412	2032	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	30
PID 2032 wrote to memory of 1412	2032	8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe	30

C:\Users\Admin\AppData\Local\Temp\8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe
"C:\Users\Admin\AppData\Local\Temp\8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\vstart.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\vstart.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:960
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
  2⤵
  - Deletes itself
  PID:1412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat

Filesize
248B

MD5
beec7a7f4e730b29b65580fce03b039d

SHA1
09ed962d58dfd1fe49611b910c4af402679ca978

SHA256
f50a232dd08e3b08f43258a0c78da13df101ec7a526b72d42cd2e9ad4d08f124

SHA512
8e86f10df29bef74fef80d0b98deefa87c71f13e606d0da09eb9a6686a46fb2e24e35f9a2e7c9630c3547f0ec0a8e094a75a2a2bf7b5a87a0553dd8066967942

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSINFO\vstart.exe

Filesize
1.3MB

MD5
9c648c3efce5d25e2730b34991def1eb

SHA1
5afb446b509460c76d1c95327ec54609a5c0527b

SHA256
8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24

SHA512
10e9f901606a633fd7b2a0691eb916a700997029e95efed19425e853d71626ffb43e925099c136ad22146fedbb92b354af336ed8e935be742e32c5cfc66cd0b3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\vstart.exe

Filesize
1.3MB

MD5
9c648c3efce5d25e2730b34991def1eb

SHA1
5afb446b509460c76d1c95327ec54609a5c0527b

SHA256
8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24

SHA512
10e9f901606a633fd7b2a0691eb916a700997029e95efed19425e853d71626ffb43e925099c136ad22146fedbb92b354af336ed8e935be742e32c5cfc66cd0b3

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\vstart.exe

Filesize
1.3MB

MD5
9c648c3efce5d25e2730b34991def1eb

SHA1
5afb446b509460c76d1c95327ec54609a5c0527b

SHA256
8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24

SHA512
10e9f901606a633fd7b2a0691eb916a700997029e95efed19425e853d71626ffb43e925099c136ad22146fedbb92b354af336ed8e935be742e32c5cfc66cd0b3

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\vstart.exe

Filesize
1.3MB

MD5
9c648c3efce5d25e2730b34991def1eb

SHA1
5afb446b509460c76d1c95327ec54609a5c0527b

SHA256
8092a0a6ec0b43d84fee9922636e856d53b4ab08d40935991b10c46b63537c24

SHA512
10e9f901606a633fd7b2a0691eb916a700997029e95efed19425e853d71626ffb43e925099c136ad22146fedbb92b354af336ed8e935be742e32c5cfc66cd0b3

Download Submit
memory/960-66-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1736-63-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1736-68-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2032-62-0x0000000002320000-0x0000000002466000-memory.dmp

Filesize
1.3MB

Download
memory/2032-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/2032-70-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2032-55-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing