d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78

General

Target

d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe
Size

1.6MB
MD5

7fa432165f96568eb2196787ea46b857
SHA1

2cee7e00e23581014972392f9ce34b107b5d6817
SHA256

d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78
SHA512

c9855a1354fceda137a0b96d9a9457f4b4a2fa21711e26d52f0adf161eaafea610087d6e610314497e7762e8b66236fe5becacfe23a41c961b695381d7a82b01
SSDEEP

12288:+0xNyi0PZZTv4tthukirC5H/7b5i1hxGBoWc:kVZD4t/97f7o1hQHc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
524	explorer.exe
1496	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe
524	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1224 set thread context of 2028	1224	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	28
PID 524 set thread context of 1496	524	explorer.exe	30

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2028	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe
2028	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2028	1224	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	28
PID 1224 wrote to memory of 2028	1224	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	28
PID 1224 wrote to memory of 2028	1224	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	28
PID 1224 wrote to memory of 2028	1224	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	28
PID 1224 wrote to memory of 2028	1224	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	28
PID 1224 wrote to memory of 2028	1224	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	28
PID 1224 wrote to memory of 2028	1224	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	28
PID 1224 wrote to memory of 2028	1224	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	28
PID 1224 wrote to memory of 2028	1224	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	28
PID 1224 wrote to memory of 2028	1224	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	28
PID 1224 wrote to memory of 2028	1224	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	28
PID 2028 wrote to memory of 524	2028	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	29
PID 2028 wrote to memory of 524	2028	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	29
PID 2028 wrote to memory of 524	2028	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	29
PID 2028 wrote to memory of 524	2028	d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe	29
PID 524 wrote to memory of 1496	524	explorer.exe	30
PID 524 wrote to memory of 1496	524	explorer.exe	30
PID 524 wrote to memory of 1496	524	explorer.exe	30
PID 524 wrote to memory of 1496	524	explorer.exe	30
PID 524 wrote to memory of 1496	524	explorer.exe	30
PID 524 wrote to memory of 1496	524	explorer.exe	30
PID 524 wrote to memory of 1496	524	explorer.exe	30
PID 524 wrote to memory of 1496	524	explorer.exe	30
PID 524 wrote to memory of 1496	524	explorer.exe	30
PID 524 wrote to memory of 1496	524	explorer.exe	30
PID 524 wrote to memory of 1496	524	explorer.exe	30

C:\Users\Admin\AppData\Local\Temp\d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe
"C:\Users\Admin\AppData\Local\Temp\d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe
  "C:\Users\Admin\AppData\Local\Temp\d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe" --ch=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\explorer.exe" --ch=1
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
1.6MB

MD5
7fa432165f96568eb2196787ea46b857

SHA1
2cee7e00e23581014972392f9ce34b107b5d6817

SHA256
d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78

SHA512
c9855a1354fceda137a0b96d9a9457f4b4a2fa21711e26d52f0adf161eaafea610087d6e610314497e7762e8b66236fe5becacfe23a41c961b695381d7a82b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
1.6MB

MD5
7fa432165f96568eb2196787ea46b857

SHA1
2cee7e00e23581014972392f9ce34b107b5d6817

SHA256
d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78

SHA512
c9855a1354fceda137a0b96d9a9457f4b4a2fa21711e26d52f0adf161eaafea610087d6e610314497e7762e8b66236fe5becacfe23a41c961b695381d7a82b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
1.6MB

MD5
7fa432165f96568eb2196787ea46b857

SHA1
2cee7e00e23581014972392f9ce34b107b5d6817

SHA256
d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78

SHA512
c9855a1354fceda137a0b96d9a9457f4b4a2fa21711e26d52f0adf161eaafea610087d6e610314497e7762e8b66236fe5becacfe23a41c961b695381d7a82b01

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
1.6MB

MD5
7fa432165f96568eb2196787ea46b857

SHA1
2cee7e00e23581014972392f9ce34b107b5d6817

SHA256
d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78

SHA512
c9855a1354fceda137a0b96d9a9457f4b4a2fa21711e26d52f0adf161eaafea610087d6e610314497e7762e8b66236fe5becacfe23a41c961b695381d7a82b01

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
1.6MB

MD5
7fa432165f96568eb2196787ea46b857

SHA1
2cee7e00e23581014972392f9ce34b107b5d6817

SHA256
d060815b1f8fc9c33ec0be4493429cde9ac679fbf834bae100b36f73a0dfda78

SHA512
c9855a1354fceda137a0b96d9a9457f4b4a2fa21711e26d52f0adf161eaafea610087d6e610314497e7762e8b66236fe5becacfe23a41c961b695381d7a82b01

Download Submit
memory/1496-96-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1496-94-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2028-62-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2028-70-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2028-71-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2028-69-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2028-66-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2028-64-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2028-54-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2028-61-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2028-59-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2028-57-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2028-95-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2028-55-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing