6d0dce536c7d15a7be5626981a16ef077ed1109a67b3d0e91943128be32c2a74

General

Target

6d0dce536c7d15a7be5626981a16ef077ed1109a67b3d0e91943128be32c2a74.exe
Size

1.6MB
MD5

5af4ac7bcae31673d816c948f331f44e
SHA1

615235823768a7ead939050d3bf527d0e5b9dbb9
SHA256

6d0dce536c7d15a7be5626981a16ef077ed1109a67b3d0e91943128be32c2a74
SHA512

558cefbed4f67206bf8f655ef0b533e50c5b02aba5e4495d3ba021834fd4e5d78f8ed51e3b39de409d57dddbf955cbdcb837c92acf6b504d4e872637b00c2440
SSDEEP

49152:mcB/J9443O1jVRGx4GOfiOwd5SCBz31JDDs2Isc9Vb3:mCUqO1jVRGixfq1p31dI5Vb3

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3016	rundll32.exe
764	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 1672	3220	6d0dce536c7d15a7be5626981a16ef077ed1109a67b3d0e91943128be32c2a74.exe	69
PID 3220 wrote to memory of 1672	3220	6d0dce536c7d15a7be5626981a16ef077ed1109a67b3d0e91943128be32c2a74.exe	69
PID 3220 wrote to memory of 1672	3220	6d0dce536c7d15a7be5626981a16ef077ed1109a67b3d0e91943128be32c2a74.exe	69
PID 1672 wrote to memory of 3024	1672	cmd.exe	71
PID 1672 wrote to memory of 3024	1672	cmd.exe	71
PID 1672 wrote to memory of 3024	1672	cmd.exe	71
PID 3024 wrote to memory of 3016	3024	control.exe	72
PID 3024 wrote to memory of 3016	3024	control.exe	72
PID 3024 wrote to memory of 3016	3024	control.exe	72
PID 3016 wrote to memory of 2100	3016	rundll32.exe	73
PID 3016 wrote to memory of 2100	3016	rundll32.exe	73
PID 2100 wrote to memory of 764	2100	RunDll32.exe	74
PID 2100 wrote to memory of 764	2100	RunDll32.exe	74
PID 2100 wrote to memory of 764	2100	RunDll32.exe	74

C:\Users\Admin\AppData\Local\Temp\6d0dce536c7d15a7be5626981a16ef077ed1109a67b3d0e91943128be32c2a74.exe
"C:\Users\Admin\AppData\Local\Temp\6d0dce536c7d15a7be5626981a16ef077ed1109a67b3d0e91943128be32c2a74.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c .\RSg.cmD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\control.exe
    cOntrOl.eXe "C:\Users\Admin\AppData\Local\Temp\7zS49C20B87\YbWF.X"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS49C20B87\YbWF.X"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS49C20B87\YbWF.X"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zS49C20B87\YbWF.X"
        6⤵
        Loads dropped DLL
        
        PID:764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS49C20B87\Rsg.cmd

Filesize
32B

MD5
af982d040ea360b8ac44d07419d1cf7f

SHA1
856165e498208878ba00a587e1de16c600966669

SHA256
4e1a7046c72d3a161460bdbfe6774a86d8ec7d327f7e4a4d47782272a558fb6a

SHA512
80096e07a0c4663f61fa4e1df2c3798805e266b2d23aaf3aeff62f404b71d2e3329cb2c2098d6825ab8fff749c02d54329455793ae50ec8069b8269e74aa86f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49C20B87\YbWF.X

Filesize
1.6MB

MD5
fa955b95b690c7148201341b3d35b62f

SHA1
2bd6d77e3574afe4dd429490f067babf05e0c771

SHA256
b62a47302c1f019154f830290ab2228e13867e9e8bc5541ff0472ac151f17e6f

SHA512
498af67712877e6db7fb8fc304a38a4a0bfe4708c69013442ea183c8aa66df94cadaedd32611fb042b20a0861656ed7f1a92702acd8a20741ead0f400b77b2b0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49C20B87\ybwf.X

Filesize
1.6MB

MD5
fa955b95b690c7148201341b3d35b62f

SHA1
2bd6d77e3574afe4dd429490f067babf05e0c771

SHA256
b62a47302c1f019154f830290ab2228e13867e9e8bc5541ff0472ac151f17e6f

SHA512
498af67712877e6db7fb8fc304a38a4a0bfe4708c69013442ea183c8aa66df94cadaedd32611fb042b20a0861656ed7f1a92702acd8a20741ead0f400b77b2b0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49C20B87\ybwf.X

Filesize
1.6MB

MD5
fa955b95b690c7148201341b3d35b62f

SHA1
2bd6d77e3574afe4dd429490f067babf05e0c771

SHA256
b62a47302c1f019154f830290ab2228e13867e9e8bc5541ff0472ac151f17e6f

SHA512
498af67712877e6db7fb8fc304a38a4a0bfe4708c69013442ea183c8aa66df94cadaedd32611fb042b20a0861656ed7f1a92702acd8a20741ead0f400b77b2b0

Download Submit
memory/764-29-0x00000000055E0000-0x00000000056E6000-memory.dmp

Filesize
1.0MB

Download
memory/764-28-0x0000000010000000-0x00000000101A3000-memory.dmp

Filesize
1.6MB

Download
memory/764-27-0x00000000055E0000-0x00000000056E6000-memory.dmp

Filesize
1.0MB

Download
memory/764-25-0x00000000055E0000-0x00000000056E6000-memory.dmp

Filesize
1.0MB

Download
memory/764-23-0x00000000054B0000-0x00000000055D1000-memory.dmp

Filesize
1.1MB

Download
memory/764-20-0x0000000004E90000-0x0000000004E96000-memory.dmp

Filesize
24KB

Download
memory/3016-9-0x0000000010000000-0x00000000101A3000-memory.dmp

Filesize
1.6MB

Download
memory/3016-17-0x0000000005370000-0x0000000005476000-memory.dmp

Filesize
1.0MB

Download
memory/3016-16-0x0000000005370000-0x0000000005476000-memory.dmp

Filesize
1.0MB

Download
memory/3016-14-0x0000000005370000-0x0000000005476000-memory.dmp

Filesize
1.0MB

Download
memory/3016-13-0x0000000005370000-0x0000000005476000-memory.dmp

Filesize
1.0MB

Download
memory/3016-12-0x0000000005230000-0x0000000005351000-memory.dmp

Filesize
1.1MB

Download
memory/3016-8-0x00000000050D0000-0x00000000050D6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads