c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40

General

Target

c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe
Size

68KB
MD5

286f37d13968fcb857b0f311bfaea1cc
SHA1

0e8767c92417d86bac427194a635ffd105bd4916
SHA256

c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40
SHA512

26c41e532bffc220e145121d26b7ebdb88f41986553cd0673568045ea676b2ba355944291f02630164559c1782f1b3f24761e882f8f9053090db49f011b7d9c3
SSDEEP

768:7p+kukUKSqquNJ0GQMzHI27TGO4xUCv4Bl1fEgs4U:dj6qquNJ0GQCHI27K+CQl3q

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\kernel32.vxd	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe
File opened for modification	C:\Windows\LozK.vbs	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe
File created	C:\Windows\LozK.bat	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe
File opened for modification	C:\Windows\kernel32.vxd	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe
File created	C:\Windows\user32.vxd	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe
File created	C:\Windows\LozK.vbs	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 984	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	29
PID 1480 wrote to memory of 984	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	29
PID 1480 wrote to memory of 984	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	29
PID 1480 wrote to memory of 984	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	29
PID 1480 wrote to memory of 936	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	27
PID 1480 wrote to memory of 936	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	27
PID 1480 wrote to memory of 936	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	27
PID 1480 wrote to memory of 936	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	27
PID 1480 wrote to memory of 1916	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	28
PID 1480 wrote to memory of 1916	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	28
PID 1480 wrote to memory of 1916	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	28
PID 1480 wrote to memory of 1916	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	28
PID 1480 wrote to memory of 1712	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	31
PID 1480 wrote to memory of 1712	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	31
PID 1480 wrote to memory of 1712	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	31
PID 1480 wrote to memory of 1712	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	31
PID 1480 wrote to memory of 1104	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	33
PID 1480 wrote to memory of 1104	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	33
PID 1480 wrote to memory of 1104	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	33
PID 1480 wrote to memory of 1104	1480	c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe	33

C:\Users\Admin\AppData\Local\Temp\c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe
"C:\Users\Admin\AppData\Local\Temp\c543532871a21bfc92fcfdc963d0cf14541e4643671ddb7d052fe9731e949c40.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c DEL C:\Windows\Temp\WDat\*.exe
  2⤵
  PID:936
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe C:\Windows\LozK.vbs
  2⤵
  PID:1916
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe C:\Windows\LozK.vbs
  2⤵
  PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c DEL C:\Windows\Temp\WDat\*.exe
  2⤵
  PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c DEL C:\Windows\Temp\WDat\*.exe
  2⤵
  PID:1104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LozK.vbs

Filesize
5B

MD5
aa936ac7b9611015918c9f1252229063

SHA1
6377385cc8617520e422e8286e8fa034582b66bd

SHA256
33cc6ccbde43b1a21a93043f0948c4ad42411e54a393ed4bac460158192e3686

SHA512
410b7f44c15f4a77f0846d65b3648a4aec7e160f4ac58fbc9b034ee656039ec43e8210f9a9923e15bbdd0f904d3bb76fddfbadfb0b36cdf3d6e261553a9b8c56

Download Submit
C:\Windows\Temp\WDat\43282.exe

Filesize
53KB

MD5
41d0caffbc5db738d7e2e0539a05d7e9

SHA1
a0c95a8c8c445073652cb8a85b00dd6747fdf037

SHA256
6b4167fc298edb8e005e3fb1270ec332e1e77d4389e6f234428d0b8dc84fe5b6

SHA512
a3552c330c8c0913f32bcfdbe0f5ae7d5897b642098541af3b33ccdea9c5837d75be00b3289f7ca830db874de11932831b36b25bf34d2824ba4b147abb0907ca

Download Submit
memory/984-60-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1480-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads