6f4fe023a4cc878e187d02b16eaa049a66165c741bf6663c6d8454075a8a4827

General

Target

6f4fe023a4cc878e187d02b16eaa049a66165c741bf6663c6d8454075a8a4827.exe
Size

2.6MB
MD5

f0f4d913941593b2cfaf76bbdf8906c1
SHA1

e17e35225ccfff59fe327b4a7900e5a223115059
SHA256

6f4fe023a4cc878e187d02b16eaa049a66165c741bf6663c6d8454075a8a4827
SHA512

84784b2f44e13c13a2bf42c83447d5ea65a2f4ced3d834c47a41f6b6c87bdec7e53a8e70fffdd32cb4121404749c0cb2cd807a084f171142c17de465e6ca3d18
SSDEEP

49152:UJGi9KcvmwM9a42u2y34uIJrkencq+2N5O1uoZD94yy1EsdH+NWS8QDBbHVLoZFo:UIi9xmwYap/Y4/Jrr+61oZDETdH0h1Hz

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4724	rundll32.exe
3976	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 4744	4476	6f4fe023a4cc878e187d02b16eaa049a66165c741bf6663c6d8454075a8a4827.exe	70
PID 4476 wrote to memory of 4744	4476	6f4fe023a4cc878e187d02b16eaa049a66165c741bf6663c6d8454075a8a4827.exe	70
PID 4476 wrote to memory of 4744	4476	6f4fe023a4cc878e187d02b16eaa049a66165c741bf6663c6d8454075a8a4827.exe	70
PID 4744 wrote to memory of 3544	4744	cmd.exe	72
PID 4744 wrote to memory of 3544	4744	cmd.exe	72
PID 4744 wrote to memory of 3544	4744	cmd.exe	72
PID 3544 wrote to memory of 4724	3544	control.exe	73
PID 3544 wrote to memory of 4724	3544	control.exe	73
PID 3544 wrote to memory of 4724	3544	control.exe	73
PID 4724 wrote to memory of 2916	4724	rundll32.exe	74
PID 4724 wrote to memory of 2916	4724	rundll32.exe	74
PID 2916 wrote to memory of 3976	2916	RunDll32.exe	75
PID 2916 wrote to memory of 3976	2916	RunDll32.exe	75
PID 2916 wrote to memory of 3976	2916	RunDll32.exe	75

C:\Users\Admin\AppData\Local\Temp\6f4fe023a4cc878e187d02b16eaa049a66165c741bf6663c6d8454075a8a4827.exe
"C:\Users\Admin\AppData\Local\Temp\6f4fe023a4cc878e187d02b16eaa049a66165c741bf6663c6d8454075a8a4827.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c .\TOLQZwF.cMd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\SysWOW64\control.exe
    coNTrOl.EXe "C:\Users\Admin\AppData\Local\Temp\7zSC7197E87\RU87DHSS.G_A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zSC7197E87\RU87DHSS.G_A"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zSC7197E87\RU87DHSS.G_A"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zSC7197E87\RU87DHSS.G_A"
        6⤵
        Loads dropped DLL
        
        PID:3976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC7197E87\RU87DHSS.G_A

Filesize
2.6MB

MD5
6fb54e30ec818e57a84681f4b834f22d

SHA1
8f809e744c74d751492c719aab2bfa6d17989097

SHA256
83ec45c7b38f49195cac4af77aa404b75817f2aba682d28f8468f5a33173bad1

SHA512
2724f9622266442a2ee96acfe192c46d6d9d7d157acdd383198619de6cfafda067dd393e9bf6b886ca6af171e974496855719138554c32381c43e7c5427b7160

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7197E87\tOLqZwf.cmd

Filesize
37B

MD5
a12b8bb1460a6fc596896e1cd7fbc34b

SHA1
d2c3faa67ac092017a56242e520ea5100bfaeadb

SHA256
e2244e1c912fab772355f236e4b76cd9573b30399a3b66fd8f0fa925f45cf93c

SHA512
a139c11ca8f9e359185e12bd734561f55b7d4222856741b34d000ce18325c3e360654e4cb88e85753630e4ba552e0c565f7883b8019b0da8e9f5eb8cb8d36634

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC7197E87\rU87dHss.G_A

Filesize
2.6MB

MD5
6fb54e30ec818e57a84681f4b834f22d

SHA1
8f809e744c74d751492c719aab2bfa6d17989097

SHA256
83ec45c7b38f49195cac4af77aa404b75817f2aba682d28f8468f5a33173bad1

SHA512
2724f9622266442a2ee96acfe192c46d6d9d7d157acdd383198619de6cfafda067dd393e9bf6b886ca6af171e974496855719138554c32381c43e7c5427b7160

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC7197E87\rU87dHss.G_A

Filesize
2.6MB

MD5
6fb54e30ec818e57a84681f4b834f22d

SHA1
8f809e744c74d751492c719aab2bfa6d17989097

SHA256
83ec45c7b38f49195cac4af77aa404b75817f2aba682d28f8468f5a33173bad1

SHA512
2724f9622266442a2ee96acfe192c46d6d9d7d157acdd383198619de6cfafda067dd393e9bf6b886ca6af171e974496855719138554c32381c43e7c5427b7160

Download Submit
memory/3976-28-0x00000000047E0000-0x00000000048D4000-memory.dmp

Filesize
976KB

Download
memory/3976-27-0x00000000047E0000-0x00000000048D4000-memory.dmp

Filesize
976KB

Download
memory/3976-25-0x00000000047E0000-0x00000000048D4000-memory.dmp

Filesize
976KB

Download
memory/3976-23-0x00000000046D0000-0x00000000047DD000-memory.dmp

Filesize
1.1MB

Download
memory/3976-20-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/4724-9-0x0000000010000000-0x000000001028E000-memory.dmp

Filesize
2.6MB

Download
memory/4724-17-0x0000000004B20000-0x0000000004C14000-memory.dmp

Filesize
976KB

Download
memory/4724-16-0x0000000004B20000-0x0000000004C14000-memory.dmp

Filesize
976KB

Download
memory/4724-14-0x0000000004B20000-0x0000000004C14000-memory.dmp

Filesize
976KB

Download
memory/4724-13-0x0000000004B20000-0x0000000004C14000-memory.dmp

Filesize
976KB

Download
memory/4724-12-0x0000000004A10000-0x0000000004B1D000-memory.dmp

Filesize
1.1MB

Download
memory/4724-8-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads