882d891f349d29a4f0e6add161262210496c4628d3ce927fb9110e888967ba3e

Analysis

max time kernel
133s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/06/2023, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoucherClient.exe
Size

689KB
MD5

95c5612a3feda5a4279eca604bd8b60a
SHA1

1da75ca3ad321ce337b2de0505b5c79c4bc175a5
SHA256

882d891f349d29a4f0e6add161262210496c4628d3ce927fb9110e888967ba3e
SHA512

24dbd6fb5f398ed87627af56319629b2bc680a34c08f1f34c3297f09487c0ec6ec4f2850830a37ca27fd0f424e6a59e3ccee8c8bc402d069ae585db1c7614b76
SSDEEP

12288:dvBHZegjfglgxpqqPNQBg0FgKZCXmvQPm1Hm:dBljOg7R0F7kXmvQPm1Hm

Score

1^/10

Malware Config

Signatures

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1496	dw20.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1240	920	VoucherClient.exe	27
PID 920 wrote to memory of 1240	920	VoucherClient.exe	27
PID 920 wrote to memory of 1240	920	VoucherClient.exe	27
PID 920 wrote to memory of 1240	920	VoucherClient.exe	27
PID 1240 wrote to memory of 1916	1240	csc.exe	29
PID 1240 wrote to memory of 1916	1240	csc.exe	29
PID 1240 wrote to memory of 1916	1240	csc.exe	29
PID 1240 wrote to memory of 1916	1240	csc.exe	29
PID 920 wrote to memory of 1496	920	VoucherClient.exe	30
PID 920 wrote to memory of 1496	920	VoucherClient.exe	30
PID 920 wrote to memory of 1496	920	VoucherClient.exe	30
PID 920 wrote to memory of 1496	920	VoucherClient.exe	30

C:\Users\Admin\AppData\Local\Temp\VoucherClient.exe
"C:\Users\Admin\AppData\Local\Temp\VoucherClient.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\72svd4dc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES251F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC251E.tmp"
    3⤵
    PID:1916
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 712
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\72svd4dc.dll

Filesize
368KB

MD5
9cceee484d3bb7d85a45b86981818ea8

SHA1
380fcf80c1beece6960a5356ae5155df4628ad86

SHA256
e5bf999a6331b7b7f4827bc91ea35b1f4aef92502c0cee15e68d001e413caf15

SHA512
56152919a5c6d43483d6d4fff4d21e28a60f7c43774f96a78f88c270c50942528fb21f208d3af7a46865fd9072f7b1b5deebc6e8046343ea98e5e872b21918d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES251F.tmp

Filesize
1KB

MD5
6c89100d8097c46a86424f41948cfabd

SHA1
b6fc948b57a6c4410cba7b922b79e036a637c84a

SHA256
47090b374caeba699f822a9a7a35dbc8e15ff1333911a10b41b9e2a841564e20

SHA512
245cd5ae79626f9f3e29f364f4c32caf97645c1e237e19a18f8e648bc0c68bc4ef3454234dda1ccf8c505a85188237c588418df37eee416cae93f555e2197216

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\72svd4dc.0.cs

Filesize
906KB

MD5
4bbf69009a6921970ba7d306d2ac7ab5

SHA1
a2d5ecf908dbe8477a300049da06667d209178f0

SHA256
db4f095eca81535f3a2396f3cc541204a8a53be1277e176d9eb49b40ec7a2257

SHA512
e201178d023e5b958ddd363f962fa9310b9d649723eb9e9c108a2d60767890e7edc82e29efd66d6dd8d71d0c134f0bf2e3c8118b69f525f11e9c55435939c4eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\72svd4dc.cmdline

Filesize
672B

MD5
8b418e1be797bcd7e1d23b53749ce776

SHA1
7ca4bc7b6138cf9c9d671aaee141fe017acc6dd1

SHA256
2d6d782414fc39be5ad7a00b410f3c857359a04e7282eebe58c55a3be85f6916

SHA512
b3d7221e1914a82fc7a0f8f3c0c9674da2a35e2f7d7165ba290e5adb4f34e15d92db944066a5222402879e6ca7ade6df3baa63bf101de199c17b2bd63b1145b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC251E.tmp

Filesize
652B

MD5
2d2b8ca7fc8a166f415c8be4f214e68e

SHA1
abe402fbaf244119208e10023a246a12d36cb82a

SHA256
804e47d5f400527569d9679a6e17053107b2ed92a9d8ea9dacf6a877569d356d

SHA512
080ace616d929f609515b579dc8f5ac7941f55603870457ceed01870c6bf3a37bfeccd7fba651707bd4c5c5178d620bb0657d08bfc54a89cc948d381f0feb5b5

Download Submit
memory/920-59-0x0000000000C10000-0x0000000000C50000-memory.dmp

Filesize
256KB

Download
memory/920-69-0x0000000000C10000-0x0000000000C50000-memory.dmp

Filesize
256KB

Download
memory/1496-68-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads