8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f

Analysis

max time kernel
142s
max time network
130s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
12/12/2023, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.exe
Size

7.5MB
MD5

ec0da7e9f93a3e186afe6031123191d1
SHA1

a993427c276abe7b0ba55aa212309fe9afd665a0
SHA256

8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f
SHA512

93f9c469e40259f6645a66b612d24d39d18f9931c73b2c12f82b3a1f995871f4a66652fa17b209efd993f4ef9c2a6ed34edf7b86913471a0b20f55250adb2487
SSDEEP

196608:5q/iLRC0OLkYNew6tjCtD2RQVsBp4UAzj:5HC9Lkuew6t2oCO9Azj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4436	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp

Loads dropped DLL 3 IoCs

pid	Process
4436	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp
4436	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp
4436	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\is-4S2S0.tmp	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-VSRU5.tmp	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-9SRQ8.tmp	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-I2FSS.tmp	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4436	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4436	220	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.exe	71
PID 220 wrote to memory of 4436	220	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.exe	71
PID 220 wrote to memory of 4436	220	8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.exe	71

C:\Users\Admin\AppData\Local\Temp\8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.exe
"C:\Users\Admin\AppData\Local\Temp\8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\is-AGNHJ.tmp\8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AGNHJ.tmp\8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp" /SL5="$901F4,7577497,68096,C:\Users\Admin\AppData\Local\Temp\8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:4436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-AGNHJ.tmp\8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp

Filesize
640KB

MD5
1633e8c1ec44c0dae58412ccf466ce3b

SHA1
12a483b47ebf10c5b4f80e804d9612e9e72ccd7b

SHA256
b63d0b1af3bf0cc35ffc56888749d30eb125752539cc24a7b961bdb4a4e97b33

SHA512
549e60cc947c95bb55d4852bf731d5ebb9ce94e6f042216a08cd1a7a54476bb432accbe68409d2ec075022608dc8af42c9e716f0680bc5445a666f5124821d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AGNHJ.tmp\8045d823f7df5c1ffb450baf3550b9f7162d575c8384ba394a31419d6b17ec2f.tmp

Filesize
512KB

MD5
913d22709a27b65d97c26e9310af7bfe

SHA1
2e021f1dcde45a9ea4e1bb82ef911ea78d75fd50

SHA256
9a77d52417bfeb0caa1e822891c28c3966814cd7c9d8c9a5bba8edf97bdb30cc

SHA512
57463c0d0caee1cf47615798dbd9b537247261ab8fc14d1f0b89898347067bfc741ed70786e9815a4a614694c4f7dd4204515e7503f314a5a6b60cf1e1e5ff72

Download Submit
\Users\Admin\AppData\Local\Temp\is-I8SBK.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-I8SBK.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
memory/220-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/220-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4436-9-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4436-33-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4436-36-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download