7999f5ba883df787e30826bd802ef0817e0c96470b4de4e6fdcaddca6596641b

General

Target

f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe
Size

911KB
MD5

f14fabcebb48fd9b0ec5ee530d757d20
SHA1

236f33711f31c4bb74096be1ecbb2ea8b71c413e
SHA256

7999f5ba883df787e30826bd802ef0817e0c96470b4de4e6fdcaddca6596641b
SHA512

822a960a81ee427643f974341a240c8e086a2024138385fedfed8d11e86328fa3d8b5e3cdad22de25ad65f0527136fddcd6c9a59f1421f2526d3ddbee8a63ceb
SSDEEP

24576:5c//////G6hGzPK5YtjjbvKewjDsPNwwrau1Vi9WTU04bTVT8Fhpu8:5c//////rGzPK5YtHbi9fsPCwRvi9Wjj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4300	duokai.exe
4812	MDMPatch1.0.exe
632	xinmdm.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MDMPatch1.0.exe	f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\duokai.exe	f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4052	4300	WerFault.exe	89
4208	632	WerFault.exe	92

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1528	824	f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe	83
PID 824 wrote to memory of 1528	824	f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe	83
PID 824 wrote to memory of 1528	824	f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe	83
PID 824 wrote to memory of 1656	824	f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe	85
PID 824 wrote to memory of 1656	824	f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe	85
PID 824 wrote to memory of 1656	824	f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe	85
PID 824 wrote to memory of 4100	824	f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe	84
PID 824 wrote to memory of 4100	824	f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe	84
PID 824 wrote to memory of 4100	824	f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe	84
PID 1656 wrote to memory of 4300	1656	cmd.exe	89
PID 1656 wrote to memory of 4300	1656	cmd.exe	89
PID 1656 wrote to memory of 4300	1656	cmd.exe	89
PID 1528 wrote to memory of 4812	1528	cmd.exe	90
PID 1528 wrote to memory of 4812	1528	cmd.exe	90
PID 1528 wrote to memory of 4812	1528	cmd.exe	90
PID 4100 wrote to memory of 632	4100	cmd.exe	92
PID 4100 wrote to memory of 632	4100	cmd.exe	92
PID 4100 wrote to memory of 632	4100	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\f14fabcebb48fd9b0ec5ee530d757d20_exe32.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Windows\system32\MDMPatch1.0.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\MDMPatch1.0.exe
    C:\Windows\system32\MDMPatch1.0.exe
    3⤵
    - Executes dropped EXE
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\xinmdm.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\xinmdm.exe
    C:\Users\Admin\AppData\Local\Temp\\xinmdm.exe
    3⤵
    - Executes dropped EXE
    PID:632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 408
      4⤵
      Program crash
      PID:4208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Windows\duokai.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\duokai.exe
    C:\Windows\duokai.exe
    3⤵
    - Executes dropped EXE
    PID:4300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 224
      4⤵
      Program crash
      PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4300 -ip 4300
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 632 -ip 632
1⤵
PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xinmdm.exe

Filesize
36KB

MD5
3caf43d77d7c2c5705cb53000e27590b

SHA1
c8e8299dabc520716bd9cf2f7ca702424de22592

SHA256
66b5f42c03fd364ae034e63ad5b9d855f89965d12f80e4ca231cb89e7a9d6218

SHA512
b90c0b2c03324f5814cf5310c99538ffeaf3c35b5c89dd4bd2c8d134d540be78d1e0054ae718a6f232b6e49b8294a4a7699d88b77eaeef69c70551b361f1073e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xinmdm.exe

Filesize
36KB

MD5
3caf43d77d7c2c5705cb53000e27590b

SHA1
c8e8299dabc520716bd9cf2f7ca702424de22592

SHA256
66b5f42c03fd364ae034e63ad5b9d855f89965d12f80e4ca231cb89e7a9d6218

SHA512
b90c0b2c03324f5814cf5310c99538ffeaf3c35b5c89dd4bd2c8d134d540be78d1e0054ae718a6f232b6e49b8294a4a7699d88b77eaeef69c70551b361f1073e

Download Submit
C:\Windows\SysWOW64\MDMPatch1.0.exe

Filesize
479KB

MD5
16a5208385f15645c54110a2ac18485b

SHA1
b4ae149966e5a234b9d62d68c2159fb6eec7b209

SHA256
a407a6eb055b10de9e48a6c5ad54dbfd0254973402d3287200eb8e19d06d2c78

SHA512
eda363ba527fd7f5963b8123784ee51b91abf6ba46d6046a792245d5bea0095586ad290a0cbc77f310ad50ca462148bef39396b679cfe6fc44f3288fc95966af

Download Submit
C:\Windows\SysWOW64\MDMPatch1.0.exe

Filesize
479KB

MD5
16a5208385f15645c54110a2ac18485b

SHA1
b4ae149966e5a234b9d62d68c2159fb6eec7b209

SHA256
a407a6eb055b10de9e48a6c5ad54dbfd0254973402d3287200eb8e19d06d2c78

SHA512
eda363ba527fd7f5963b8123784ee51b91abf6ba46d6046a792245d5bea0095586ad290a0cbc77f310ad50ca462148bef39396b679cfe6fc44f3288fc95966af

Download Submit
C:\Windows\duokai.exe

Filesize
362KB

MD5
b5f1abea8ea405c51a1f3fe0ce3d9c68

SHA1
6d9cbeeae8dc78cc474bab2cbea6d415d1f68e31

SHA256
d9c6405c7c3abf6f971967b5fbbd4861f5f6f8cdba7385ef31d47780159ead1b

SHA512
fd3d49d616f5c459d7b942c360e5bc576bfaef9ad4f29d71cb5cccdc4380477ea501942768f4f13bfbacdf0d4fe447de05d1fc82072e1b901b47e29fa5038e92

Download Submit
C:\Windows\duokai.exe

Filesize
362KB

MD5
b5f1abea8ea405c51a1f3fe0ce3d9c68

SHA1
6d9cbeeae8dc78cc474bab2cbea6d415d1f68e31

SHA256
d9c6405c7c3abf6f971967b5fbbd4861f5f6f8cdba7385ef31d47780159ead1b

SHA512
fd3d49d616f5c459d7b942c360e5bc576bfaef9ad4f29d71cb5cccdc4380477ea501942768f4f13bfbacdf0d4fe447de05d1fc82072e1b901b47e29fa5038e92

Download Submit
memory/632-16-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/632-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/632-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/824-3-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4300-9-0x0000000001300000-0x000000000141799D-memory.dmp

Filesize
1.1MB

Download
memory/4300-19-0x0000000001300000-0x000000000141799D-memory.dmp

Filesize
1.1MB

Download
memory/4812-12-0x0000000000400000-0x0000000000523200-memory.dmp

Filesize
1.1MB

Download
memory/4812-17-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/4812-20-0x0000000000400000-0x0000000000523200-memory.dmp

Filesize
1.1MB

Download
memory/4812-21-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads