5b01ade8e57d6370e5935db58dbf4d30f8ceea782bf50d8847150be1dc67ed97

General

Target

5b01ade8e57d6370e5935db58dbf4d30f8ceea782bf50d8847150be1dc67ed97.exe
Size

2.0MB
MD5

031bac72289d15c5bd8192e3d538bc75
SHA1

5fc67b7aa3c5722468817d3c53def6c544e4acb7
SHA256

5b01ade8e57d6370e5935db58dbf4d30f8ceea782bf50d8847150be1dc67ed97
SHA512

e768e44b25cd5472e4a717426399f2b58b6e182b6fbd639d4cc7c214319334136b8ff0e1125d772e7aaf15880c9f232d751ddb9cfb55cf2af8a34761a48d9578
SSDEEP

49152:mcB6t27S9ewSRd3wQis4vTrniMA9uor8sTyXlUII5fhbHJKi:mZtUVrj4vyPQERy1CLbHJKi

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1384	rundll32.exe
1008	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1760	1724	5b01ade8e57d6370e5935db58dbf4d30f8ceea782bf50d8847150be1dc67ed97.exe	71
PID 1724 wrote to memory of 1760	1724	5b01ade8e57d6370e5935db58dbf4d30f8ceea782bf50d8847150be1dc67ed97.exe	71
PID 1724 wrote to memory of 1760	1724	5b01ade8e57d6370e5935db58dbf4d30f8ceea782bf50d8847150be1dc67ed97.exe	71
PID 1760 wrote to memory of 1144	1760	cmd.exe	73
PID 1760 wrote to memory of 1144	1760	cmd.exe	73
PID 1760 wrote to memory of 1144	1760	cmd.exe	73
PID 1144 wrote to memory of 1384	1144	control.exe	74
PID 1144 wrote to memory of 1384	1144	control.exe	74
PID 1144 wrote to memory of 1384	1144	control.exe	74
PID 1384 wrote to memory of 5092	1384	rundll32.exe	75
PID 1384 wrote to memory of 5092	1384	rundll32.exe	75
PID 5092 wrote to memory of 1008	5092	RunDll32.exe	76
PID 5092 wrote to memory of 1008	5092	RunDll32.exe	76
PID 5092 wrote to memory of 1008	5092	RunDll32.exe	76

C:\Users\Admin\AppData\Local\Temp\5b01ade8e57d6370e5935db58dbf4d30f8ceea782bf50d8847150be1dc67ed97.exe
"C:\Users\Admin\AppData\Local\Temp\5b01ade8e57d6370e5935db58dbf4d30f8ceea782bf50d8847150be1dc67ed97.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c .\UI8oM.Cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\control.exe
    contROL.EXe "C:\Users\Admin\AppData\Local\Temp\7zSCB6260E7\GwBYRDAJ.T7"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zSCB6260E7\GwBYRDAJ.T7"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zSCB6260E7\GwBYRDAJ.T7"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5092
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zSCB6260E7\GwBYRDAJ.T7"
        6⤵
        Loads dropped DLL
        
        PID:1008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCB6260E7\GwBYRDAJ.T7

Filesize
2.0MB

MD5
2be40337389f6bdaa511630529b93ca5

SHA1
fca865bac98104ea19f20f4e794cdfb95394d97b

SHA256
246a01da9e2133a7bb329527b7f106f462c2d94bf4971f3d77ddfe5b78b0017b

SHA512
32f45375f6d3624c5049bf61c7910a48fae7c6fb5dfcb94583d0b79d266c6399686d4e1479e2a44be44b277152a8dcb3e8ca64d2fc87b5e4bffb84c02b6588bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB6260E7\UI8oM.cmd

Filesize
32B

MD5
9c8d18b9c011bc6c45b68f666440f1de

SHA1
b47d25ba7e193cc7883902831249a25691b48fb5

SHA256
ca5f8575e18ed175282f757affe45bb67630764721612cfe8d0460a96bbdd171

SHA512
5f8943350a03639cd26ce7b0e1f709ac03e0e7d4bc65dceada6d2d7a479d50df24bfa4a47fd03549497a9c9876e1be5ccf14a37b85b299b475c9388378f9dacb

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCB6260E7\gwbyRdAJ.T7

Filesize
2.0MB

MD5
2be40337389f6bdaa511630529b93ca5

SHA1
fca865bac98104ea19f20f4e794cdfb95394d97b

SHA256
246a01da9e2133a7bb329527b7f106f462c2d94bf4971f3d77ddfe5b78b0017b

SHA512
32f45375f6d3624c5049bf61c7910a48fae7c6fb5dfcb94583d0b79d266c6399686d4e1479e2a44be44b277152a8dcb3e8ca64d2fc87b5e4bffb84c02b6588bb

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCB6260E7\gwbyRdAJ.T7

Filesize
2.0MB

MD5
2be40337389f6bdaa511630529b93ca5

SHA1
fca865bac98104ea19f20f4e794cdfb95394d97b

SHA256
246a01da9e2133a7bb329527b7f106f462c2d94bf4971f3d77ddfe5b78b0017b

SHA512
32f45375f6d3624c5049bf61c7910a48fae7c6fb5dfcb94583d0b79d266c6399686d4e1479e2a44be44b277152a8dcb3e8ca64d2fc87b5e4bffb84c02b6588bb

Download Submit
memory/1008-28-0x0000000005250000-0x0000000005352000-memory.dmp

Filesize
1.0MB

Download
memory/1008-27-0x0000000005250000-0x0000000005352000-memory.dmp

Filesize
1.0MB

Download
memory/1008-24-0x0000000005250000-0x0000000005352000-memory.dmp

Filesize
1.0MB

Download
memory/1008-23-0x0000000005130000-0x000000000524E000-memory.dmp

Filesize
1.1MB

Download
memory/1008-19-0x0000000004A80000-0x0000000004A86000-memory.dmp

Filesize
24KB

Download
memory/1384-8-0x0000000010000000-0x0000000010203000-memory.dmp

Filesize
2.0MB

Download
memory/1384-17-0x00000000056A0000-0x00000000057A2000-memory.dmp

Filesize
1.0MB

Download
memory/1384-16-0x00000000056A0000-0x00000000057A2000-memory.dmp

Filesize
1.0MB

Download
memory/1384-13-0x00000000056A0000-0x00000000057A2000-memory.dmp

Filesize
1.0MB

Download
memory/1384-12-0x0000000005580000-0x000000000569E000-memory.dmp

Filesize
1.1MB

Download
memory/1384-9-0x0000000003360000-0x0000000003366000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads