eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999

General

Target

eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe
Size

343KB
MD5

373d142bd404baba12dcdbe83d7345f1
SHA1

9d244c94f7e426311083c513c7730c60bf380222
SHA256

eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999
SHA512

256fa9fd646dfdcd9b86bc448366f99bc50916b168fd46fd92a3eb4320d4013b0ab0a1d3bd0cf1cda0ef6000094c8fd5a01404d928397e1aa4a4739d7342ec87
SSDEEP

6144:KFNsV+F2rn1mpkjdsLVN/A+FSqhppRo4lm3Z83R/+M1g/wt+Nzf9OtVgOQWl9:KArwWjdcUatHjo3Z83kn/H0tSOQ89

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1420	R_Server.exe

Deletes itself 1 IoCs

pid	Process
1320	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe
2028	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1420	2028	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe	28
PID 2028 wrote to memory of 1420	2028	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe	28
PID 2028 wrote to memory of 1420	2028	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe	28
PID 2028 wrote to memory of 1420	2028	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe	28
PID 1420 wrote to memory of 1408	1420	R_Server.exe	29
PID 1420 wrote to memory of 1408	1420	R_Server.exe	29
PID 1420 wrote to memory of 1408	1420	R_Server.exe	29
PID 1420 wrote to memory of 1408	1420	R_Server.exe	29
PID 2028 wrote to memory of 1320	2028	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe	30
PID 2028 wrote to memory of 1320	2028	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe	30
PID 2028 wrote to memory of 1320	2028	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe	30
PID 2028 wrote to memory of 1320	2028	eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe	30

C:\Users\Admin\AppData\Local\Temp\eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe
"C:\Users\Admin\AppData\Local\Temp\eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  PID:1320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe

Filesize
343KB

MD5
373d142bd404baba12dcdbe83d7345f1

SHA1
9d244c94f7e426311083c513c7730c60bf380222

SHA256
eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999

SHA512
256fa9fd646dfdcd9b86bc448366f99bc50916b168fd46fd92a3eb4320d4013b0ab0a1d3bd0cf1cda0ef6000094c8fd5a01404d928397e1aa4a4739d7342ec87

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe

Filesize
343KB

MD5
373d142bd404baba12dcdbe83d7345f1

SHA1
9d244c94f7e426311083c513c7730c60bf380222

SHA256
eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999

SHA512
256fa9fd646dfdcd9b86bc448366f99bc50916b168fd46fd92a3eb4320d4013b0ab0a1d3bd0cf1cda0ef6000094c8fd5a01404d928397e1aa4a4739d7342ec87

Download Submit
C:\Windows\SysWOW64\Deleteme.bat

Filesize
254B

MD5
21d05c4ea4a8c450c0d129ca910fa79c

SHA1
0472a5a2e5b5b2996c1e907c65c42677e5d02896

SHA256
f1a09d7ee4ce5d12cf5780da94adc95c6ade9804398180d337b1f82d7c8fba1b

SHA512
e4c59006af94d2c8b2845c7b0c3db4436f99e1c68557108ff6bb10b8011efa977012b1b7f4a20b87ccea9c0db685f84b85b6be6c937135d54fde4ea69b07ee15

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe

Filesize
343KB

MD5
373d142bd404baba12dcdbe83d7345f1

SHA1
9d244c94f7e426311083c513c7730c60bf380222

SHA256
eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999

SHA512
256fa9fd646dfdcd9b86bc448366f99bc50916b168fd46fd92a3eb4320d4013b0ab0a1d3bd0cf1cda0ef6000094c8fd5a01404d928397e1aa4a4739d7342ec87

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe

Filesize
343KB

MD5
373d142bd404baba12dcdbe83d7345f1

SHA1
9d244c94f7e426311083c513c7730c60bf380222

SHA256
eb73e7c6924cbd7f195e233c1216bd3daa050de89f06f1fdf8243526ceb71999

SHA512
256fa9fd646dfdcd9b86bc448366f99bc50916b168fd46fd92a3eb4320d4013b0ab0a1d3bd0cf1cda0ef6000094c8fd5a01404d928397e1aa4a4739d7342ec87

Download Submit
memory/2028-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing