c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f

General

Target

c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe
Size

92KB
MD5

2f3c38076b105da15c752b297123e9d5
SHA1

1201c204239f73acfa0a3d6bc4f0f05585dc4ad7
SHA256

c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f
SHA512

4a36da0cfe07a5a68ef5fdb727696f847cfc7ab5a241a4ecfbd3fcd5fab34845ebaa82a70cec76381a751fde2d4d724cbd7e6d9ce587ca260840f00a3450f599
SSDEEP

1536:CVQS/apmtkCKAY1k2U3qSqu3E0GQ950mbJ8:CVQrmtkCKjevS450

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1828	system360.exe

Loads dropped DLL 2 IoCs

pid	Process
1828	system360.exe
1828	system360.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\360safe\360system.dll	c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe
File opened for modification	C:\Program Files\360safe\system360.exe	c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe
File created	C:\Program Files\360safe\360class.exe	c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe
File opened for modification	C:\Program Files\360safe\360class.exe	c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\system\kill.bat	c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe
File created	\??\c:\WINDOWS\360_safe\sendmail.bat	system360.exe
File created	\??\c:\WINDOWS\system.txt	system360.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1828	system360.exe
1828	system360.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1828	system360.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2008	c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe
1828	system360.exe
1828	system360.exe
1828	system360.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 3064	2008	c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe	79
PID 2008 wrote to memory of 3064	2008	c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe	79
PID 2008 wrote to memory of 3064	2008	c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe	79
PID 2008 wrote to memory of 1828	2008	c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe	80
PID 2008 wrote to memory of 1828	2008	c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe	80
PID 2008 wrote to memory of 1828	2008	c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe	80

C:\Users\Admin\AppData\Local\Temp\c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe
"C:\Users\Admin\AppData\Local\Temp\c3ea69784be8db91d59f0dae4c8886e328fa7969c09822af5f5dd45179bc5d2f.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\system\kill.bat""
  2⤵
  PID:3064
- C:\Program Files\360safe\system360.exe
  "C:\Program Files\360safe\system360.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\360safe\360system.dll

Filesize
28KB

MD5
478a40a71ce25d14362599ff78876834

SHA1
3bb7d310f655e452b71f503add10bcea727db1e4

SHA256
734b726bcc3a044a63f1b4a38cc0bc991bc5f4077d59a5bc3ed5f06834e6d1fe

SHA512
00ccfb1b0fd9ed76f0663ea60ac6ae0d4aa2a873bfb8d37037ceac3d501cb20092817bfb7488fbcf151dc9093b42fbe6820c3d4e1f29598df7074ffe7c9969e8

Download Submit
C:\Program Files\360safe\360system.dll

Filesize
28KB

MD5
478a40a71ce25d14362599ff78876834

SHA1
3bb7d310f655e452b71f503add10bcea727db1e4

SHA256
734b726bcc3a044a63f1b4a38cc0bc991bc5f4077d59a5bc3ed5f06834e6d1fe

SHA512
00ccfb1b0fd9ed76f0663ea60ac6ae0d4aa2a873bfb8d37037ceac3d501cb20092817bfb7488fbcf151dc9093b42fbe6820c3d4e1f29598df7074ffe7c9969e8

Download Submit
C:\Program Files\360safe\360system.dll

Filesize
28KB

MD5
478a40a71ce25d14362599ff78876834

SHA1
3bb7d310f655e452b71f503add10bcea727db1e4

SHA256
734b726bcc3a044a63f1b4a38cc0bc991bc5f4077d59a5bc3ed5f06834e6d1fe

SHA512
00ccfb1b0fd9ed76f0663ea60ac6ae0d4aa2a873bfb8d37037ceac3d501cb20092817bfb7488fbcf151dc9093b42fbe6820c3d4e1f29598df7074ffe7c9969e8

Download Submit
C:\Program Files\360safe\system360.exe

Filesize
40KB

MD5
463e90b2ad4c143c24621de3355fb97e

SHA1
76ca1e09d54ecc058240a355d6721d1c4c02506b

SHA256
2e8baf26997fda0292f0d45887cb9f69250841ec6dc9f493dafc36f07de8ff1c

SHA512
1b86b924a8d4b83c5bd7bb80aff73a1c2fd74464cd8d3b7e014129adad095ee7ab70f990a1295562043de78d1344af7ade515d2c34816724e93f27d9ce2a5119

Download Submit
C:\Program Files\360safe\system360.exe

Filesize
40KB

MD5
463e90b2ad4c143c24621de3355fb97e

SHA1
76ca1e09d54ecc058240a355d6721d1c4c02506b

SHA256
2e8baf26997fda0292f0d45887cb9f69250841ec6dc9f493dafc36f07de8ff1c

SHA512
1b86b924a8d4b83c5bd7bb80aff73a1c2fd74464cd8d3b7e014129adad095ee7ab70f990a1295562043de78d1344af7ade515d2c34816724e93f27d9ce2a5119

Download Submit
C:\WINDOWS\system\kill.bat

Filesize
186B

MD5
148a2b8ca311d2051d0f5dcfa59403bc

SHA1
da9a0e2269042818a18b1e60869e59d709dd877e

SHA256
43e23dfbf7eb85ed387b77e7d4ed457c97d966c5aa7d125e38d26f0736501fab

SHA512
edee5f7ed3baac8e5c8d59faa97cc0f89259ec7fc80d9b080f7420c3388841ac58c51d14ca49c034608966611c8b388c85706a39fb2ca1301bc5022828b175cc

Download Submit
memory/1828-143-0x0000000000470000-0x000000000047D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing