a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a

General

Target

a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
Size

2.4MB
MD5

30e1293f173645ca049c0425fcfdb33b
SHA1

95b08f02728bb6ed49f347a449c17acccacd52ca
SHA256

a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a
SHA512

5b9c9ea95a6e2e36b0449f7384afd0a71c32d3ea5dc394036a5706af9e0995e91d439777cc46a355542fc476e88509c5d7d11bae767e1d08d371a596b648d521
SSDEEP

49152:a1RTK36PPrVVVwX1kTCusRDAMNMh9M0u2utxW:Kq6PPrVVVwFkSRMqMzM0u2u

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe

Loads dropped DLL 3 IoCs

pid	Process
2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
2720	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\iugjfv.dll	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
File created	C:\Windows\Fonts\prroqt.dll	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
2720	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
2720	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
2720	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2720	2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe	28
PID 2452 wrote to memory of 2720	2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe	28
PID 2452 wrote to memory of 2720	2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe	28
PID 2452 wrote to memory of 2720	2452	a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe	28

C:\Users\Admin\AppData\Local\Temp\a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
"C:\Users\Admin\AppData\Local\Temp\a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe
  C:\Users\Admin\AppData\Local\Temp\a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe --
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
2.4MB

MD5
dd39fc3a477d02aee040b27688bb563e

SHA1
94f1b1c94f62d550b981a4ba5c69493c686b3526

SHA256
c3cdb18627cad3bd342f1f13389e4c2fd2503949850424fb53f5f17ccd5ddf6d

SHA512
286c54b3fc6e68acad40a442e0dfc7dbc2118a28abfcdff86a5acd1b4f5714929b78b16aaea523a3723e59e6a8577346f97fa533f24510e997af8b9ca1cc22e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe

Filesize
2.4MB

MD5
dd39fc3a477d02aee040b27688bb563e

SHA1
94f1b1c94f62d550b981a4ba5c69493c686b3526

SHA256
c3cdb18627cad3bd342f1f13389e4c2fd2503949850424fb53f5f17ccd5ddf6d

SHA512
286c54b3fc6e68acad40a442e0dfc7dbc2118a28abfcdff86a5acd1b4f5714929b78b16aaea523a3723e59e6a8577346f97fa533f24510e997af8b9ca1cc22e1

Download Submit
\Users\Admin\AppData\Local\Temp\a05ce12b38c7cc6f62bb35c0e1a93160aca35eadc9ddc878fac9dd34ee6a447a.exe

Filesize
2.4MB

MD5
dd39fc3a477d02aee040b27688bb563e

SHA1
94f1b1c94f62d550b981a4ba5c69493c686b3526

SHA256
c3cdb18627cad3bd342f1f13389e4c2fd2503949850424fb53f5f17ccd5ddf6d

SHA512
286c54b3fc6e68acad40a442e0dfc7dbc2118a28abfcdff86a5acd1b4f5714929b78b16aaea523a3723e59e6a8577346f97fa533f24510e997af8b9ca1cc22e1

Download Submit
\Windows\Fonts\iugjfv.dll

Filesize
1.4MB

MD5
43713472f56ed83073fbe046e05255b4

SHA1
9b654bc3aa5e1c9a03cb7ad70cb0fc39ce224a00

SHA256
43d5fee3b2a5fbebb0ed8c2e134b5ec0d8d488eefe12143d1f244b4129a02d32

SHA512
4df86437fe92afe5aa568f181c143908394dd694e0f92710e9c907cb807732f0a6e87dd85316d8540a038f3935814f775726abc4572b8e855adec2b057dd6adb

Download Submit
\Windows\Fonts\prroqt.dll

Filesize
1.4MB

MD5
43713472f56ed83073fbe046e05255b4

SHA1
9b654bc3aa5e1c9a03cb7ad70cb0fc39ce224a00

SHA256
43d5fee3b2a5fbebb0ed8c2e134b5ec0d8d488eefe12143d1f244b4129a02d32

SHA512
4df86437fe92afe5aa568f181c143908394dd694e0f92710e9c907cb807732f0a6e87dd85316d8540a038f3935814f775726abc4572b8e855adec2b057dd6adb

Download Submit

Analysis

Sharing