52c3223b70459ec6606d6b3a03dbab4b86421c381a7ba8ffed7b5c5b31374394

General

Target

2ca479cdbaa89bc3bc65f23b6fa7ce68.exe
Size

2.1MB
MD5

2ca479cdbaa89bc3bc65f23b6fa7ce68
SHA1

c1d50fbc1f951c50011a934da130c5250ead8e27
SHA256

52c3223b70459ec6606d6b3a03dbab4b86421c381a7ba8ffed7b5c5b31374394
SHA512

9de01235bc24ac6d23184e0899bab77975a6775273ca0427aa1f7651b14bf44cad9452c90a44d366f622f5b5cfa32696ba106673cbb90b2dd2d3e95e798b6493
SSDEEP

49152:TaO6seoygHEmNw9ur56+8dwA/OYtiW4jClzXp3ZYoc9O:+VoREmsS6lyY0XCpZ3ZFD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp

Loads dropped DLL 3 IoCs

pid	Process
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
2704	2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2704	1116	2ca479cdbaa89bc3bc65f23b6fa7ce68.exe	88
PID 1116 wrote to memory of 2704	1116	2ca479cdbaa89bc3bc65f23b6fa7ce68.exe	88
PID 1116 wrote to memory of 2704	1116	2ca479cdbaa89bc3bc65f23b6fa7ce68.exe	88

C:\Users\Admin\AppData\Local\Temp\2ca479cdbaa89bc3bc65f23b6fa7ce68.exe
"C:\Users\Admin\AppData\Local\Temp\2ca479cdbaa89bc3bc65f23b6fa7ce68.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\is-94HV1.tmp\2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-94HV1.tmp\2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp" /SL5="$9018E,1908789,54272,C:\Users\Admin\AppData\Local\Temp\2ca479cdbaa89bc3bc65f23b6fa7ce68.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-94HV1.tmp\2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp

Filesize
688KB

MD5
67c5a4f36e1c91a3b85e440edd7ad026

SHA1
e49ea0e558ed682498cc61b3070e4c402fbf0912

SHA256
99c299d6565ab53d9af66e0146737dc0ecfbc52ecf4740825b552db0cc4210c6

SHA512
40522d4645ece0db9888ea40d1a11356aa5efc191184a0b97cb54a6c243532b1fc306e9095bbfa1f5dc02c8e52b709650230d1383532136e56caea3dc19a973e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-94HV1.tmp\2ca479cdbaa89bc3bc65f23b6fa7ce68.tmp

Filesize
361KB

MD5
8fa84b1ffa671d38ecfadccc87967597

SHA1
6c78f65d08bcc996e8303c8ba8a063666569dd18

SHA256
820a2373f4e57083a9b449275a3c9f953b781ac38fd03ce56ccecf6dfa87462a

SHA512
67055cd178ea451941839139725166e5b520996a076aee9b2cadf361606f9a16a65a2faa9b5393edd4d3e02ab2a2c0ffa8db673b666984ee0585bf95032c7475

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q8BBF.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q8BBF.tmp\psvince.dll

Filesize
36KB

MD5
a4e5c512b047a6d9dc38549161cac4de

SHA1
49d3e74f9604a6c61cda04ccc6d3cda87e280dfb

SHA256
c7f1e7e866834d9024f97c2b145c09d106e447e8abd65a10a1732116d178e44e

SHA512
2edb8a492b8369d56dda735a652c9e08539a5c4709a794efaff91adcae192a636d0545725af16cf8c31b275b34c2f19e4b019b57fb9050b99de65a4c08e3eee1

Download Submit
memory/1116-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1116-45-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2704-39-0x0000000006870000-0x0000000006871000-memory.dmp

Filesize
4KB

Download
memory/2704-36-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/2704-32-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/2704-41-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/2704-44-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download
memory/2704-43-0x00000000068C0000-0x00000000068C1000-memory.dmp

Filesize
4KB

Download
memory/2704-42-0x00000000068B0000-0x00000000068B1000-memory.dmp

Filesize
4KB

Download
memory/2704-40-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/2704-16-0x0000000003A70000-0x0000000003AAC000-memory.dmp

Filesize
240KB

Download
memory/2704-38-0x0000000006860000-0x0000000006861000-memory.dmp

Filesize
4KB

Download
memory/2704-37-0x0000000006850000-0x0000000006851000-memory.dmp

Filesize
4KB

Download
memory/2704-27-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/2704-35-0x0000000006830000-0x0000000006831000-memory.dmp

Filesize
4KB

Download
memory/2704-34-0x0000000006820000-0x0000000006821000-memory.dmp

Filesize
4KB

Download
memory/2704-33-0x0000000006810000-0x0000000006811000-memory.dmp

Filesize
4KB

Download
memory/2704-31-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/2704-30-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/2704-29-0x00000000067D0000-0x00000000067D1000-memory.dmp

Filesize
4KB

Download
memory/2704-28-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/2704-46-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2704-47-0x0000000003A70000-0x0000000003AAC000-memory.dmp

Filesize
240KB

Download
memory/2704-6-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2704-49-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2704-87-0x0000000003A70000-0x0000000003AAC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing