bddfeef1bf1c1dd644d29fbbbccc8f1cc5a738c54cfdbaf5a444764cff41f304

General

Target

690ab7dc3e868b95423e5a4988bd279e.exe
Size

198KB
MD5

690ab7dc3e868b95423e5a4988bd279e
SHA1

7404effaaf93b892026c22e865fe807b5f19a209
SHA256

bddfeef1bf1c1dd644d29fbbbccc8f1cc5a738c54cfdbaf5a444764cff41f304
SHA512

0ca39d84105ab8ad4a68b923e46c161c554b7b67b558c7d8f7295c35b5ebbb441e866fb13cebd8819108fca94fa75bec660acc70cf608ef2a3f42f6f2ddf4b53
SSDEEP

3072:gvuRuTGctGBGp1fn1JINh1WRxLN5iN9OXKnsLSHt6Yn0RolRRo9a5Paow6FikyQ:gvsu6c1p1fTINqkts+HfooZoiE6Z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1292	hotefix.exe
2280	hotefix.exe
2788	hotefix.exe
1036	hotefix.exe
364	hotefix.exe

Loads dropped DLL 10 IoCs

pid	Process
2360	690ab7dc3e868b95423e5a4988bd279e.exe
2360	690ab7dc3e868b95423e5a4988bd279e.exe
1292	hotefix.exe
1292	hotefix.exe
2280	hotefix.exe
2280	hotefix.exe
2788	hotefix.exe
2788	hotefix.exe
1036	hotefix.exe
1036	hotefix.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hotefix.exe	hotefix.exe
File created	C:\Windows\SysWOW64\hotefix.exe	hotefix.exe
File created	C:\Windows\SysWOW64\hotefix.exe	hotefix.exe
File created	C:\Windows\SysWOW64\hotefix.exe	hotefix.exe
File created	C:\Windows\SysWOW64\hotefix.exe	hotefix.exe
File created	C:\Windows\SysWOW64\hotefix.exe	690ab7dc3e868b95423e5a4988bd279e.exe
File opened for modification	C:\Windows\SysWOW64\hotefix.exe	690ab7dc3e868b95423e5a4988bd279e.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2360	690ab7dc3e868b95423e5a4988bd279e.exe
2360	690ab7dc3e868b95423e5a4988bd279e.exe
2360	690ab7dc3e868b95423e5a4988bd279e.exe
2360	690ab7dc3e868b95423e5a4988bd279e.exe
2360	690ab7dc3e868b95423e5a4988bd279e.exe
2360	690ab7dc3e868b95423e5a4988bd279e.exe
1292	hotefix.exe
1292	hotefix.exe
1292	hotefix.exe
1292	hotefix.exe
1292	hotefix.exe
1292	hotefix.exe
2280	hotefix.exe
2280	hotefix.exe
2280	hotefix.exe
2280	hotefix.exe
2280	hotefix.exe
2280	hotefix.exe
2788	hotefix.exe
2788	hotefix.exe
2788	hotefix.exe
2788	hotefix.exe
2788	hotefix.exe
2788	hotefix.exe
1036	hotefix.exe
1036	hotefix.exe
1036	hotefix.exe
1036	hotefix.exe
1036	hotefix.exe
1036	hotefix.exe
364	hotefix.exe
364	hotefix.exe
364	hotefix.exe
364	hotefix.exe
364	hotefix.exe
364	hotefix.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1292	2360	690ab7dc3e868b95423e5a4988bd279e.exe	28
PID 2360 wrote to memory of 1292	2360	690ab7dc3e868b95423e5a4988bd279e.exe	28
PID 2360 wrote to memory of 1292	2360	690ab7dc3e868b95423e5a4988bd279e.exe	28
PID 2360 wrote to memory of 1292	2360	690ab7dc3e868b95423e5a4988bd279e.exe	28
PID 1292 wrote to memory of 2280	1292	hotefix.exe	31
PID 1292 wrote to memory of 2280	1292	hotefix.exe	31
PID 1292 wrote to memory of 2280	1292	hotefix.exe	31
PID 1292 wrote to memory of 2280	1292	hotefix.exe	31
PID 2280 wrote to memory of 2788	2280	hotefix.exe	32
PID 2280 wrote to memory of 2788	2280	hotefix.exe	32
PID 2280 wrote to memory of 2788	2280	hotefix.exe	32
PID 2280 wrote to memory of 2788	2280	hotefix.exe	32
PID 2788 wrote to memory of 1036	2788	hotefix.exe	33
PID 2788 wrote to memory of 1036	2788	hotefix.exe	33
PID 2788 wrote to memory of 1036	2788	hotefix.exe	33
PID 2788 wrote to memory of 1036	2788	hotefix.exe	33
PID 1036 wrote to memory of 364	1036	hotefix.exe	34
PID 1036 wrote to memory of 364	1036	hotefix.exe	34
PID 1036 wrote to memory of 364	1036	hotefix.exe	34
PID 1036 wrote to memory of 364	1036	hotefix.exe	34

C:\Users\Admin\AppData\Local\Temp\690ab7dc3e868b95423e5a4988bd279e.exe
"C:\Users\Admin\AppData\Local\Temp\690ab7dc3e868b95423e5a4988bd279e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\hotefix.exe
  C:\Windows\system32\hotefix.exe -bai C:\Users\Admin\AppData\Local\Temp\690ab7dc3e868b95423e5a4988bd279e.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\hotefix.exe
    C:\Windows\system32\hotefix.exe -bai C:\Windows\SysWOW64\hotefix.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\hotefix.exe
      C:\Windows\system32\hotefix.exe -bai C:\Windows\SysWOW64\hotefix.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\hotefix.exe
        
        C:\Windows\system32\hotefix.exe -bai C:\Windows\SysWOW64\hotefix.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\SysWOW64\hotefix.exe
        
        C:\Windows\system32\hotefix.exe -bai C:\Windows\SysWOW64\hotefix.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hotefix.exe

Filesize
189KB

MD5
3e9efe1a26689f36aabef64cd9bfc929

SHA1
6fbb251579b540fe28b423d2190d4a172d3135fe

SHA256
2aeddb6585c73a39508ba91f414041c2adb6e9c9558318052b97afbc112a7168

SHA512
8e26dc3c35e2a96a0c2374431d5f2f8e84287189678730484bafc7c091c3657d4e086602e4e90f85ff0a1031084f3d59905a99a741bf20d9b58f1bf68b49da5f

Download Submit
C:\Windows\SysWOW64\hotefix.exe

Filesize
11KB

MD5
317d06ff82a118841c97275fc2b7e817

SHA1
0431ded8e67f87742ff3aaa5a98fc684b2534860

SHA256
7d3448ab74def9ce09c95dabfa21d5a6f96b6e889a4936d5ebda56577ecf6361

SHA512
a0790fa60e3e1a8dbb347ee2cc04815a60c51554c0654b2c573c85f2cefa2f68ed3a9d781e70efd8e187b0dd473b3e998e482530d876035c3f27ce9eb93efb5f

Download Submit
C:\Windows\SysWOW64\hotefix.exe

Filesize
140KB

MD5
70eab6bb3433aa789f2782090d9a8c2c

SHA1
690a1ddbd08fbe8e8748f7cac55a208e7f76717e

SHA256
528152384607a370f57c093ceb086fe74152afa0a7b25d872c009e66477654bb

SHA512
9a6ba3b7b37e7e6e8dba5a3924efdfa70b537b62c7b7b0f3609ad7a3737bcbc1afd19aeebe87d13359b47035596e10000535933ffe9dd22f34f71636c694c3b4

Download Submit
\Windows\SysWOW64\hotefix.exe

Filesize
68KB

MD5
dd0081b1f2fcee0f71487d3d3bee0a8d

SHA1
c681a3e2785e66976273be724cf5bfb01f298b72

SHA256
a313e22ed4d20e83d62f96af94d002168faee68bb4caf91cf5ec225ca4c20efb

SHA512
6d26494ba9bdac578e3a9e565f7d60e62fffd1c8bacc65218f723a4eb04093a760aecea9830d8d07b3c423b6cc6b0935164c55a24b6e714624ab97c1987c4f45

Download Submit
\Windows\SysWOW64\hotefix.exe

Filesize
93KB

MD5
ad07af1ea96e53f2e338a41ce53cb247

SHA1
e30f3371c07863d9cc76567349c2ecd67476b9fe

SHA256
b72d0e7581a78e57ede5268e9768c143e5cf9803110b8c00e32467768e374e69

SHA512
41c0c17bdd9f62bfe86dd3b750f67467de292697bf1b72ae09bf6c864a6980460b3240383671815559f4f66a36f29297c3b55731c031bea556e070d8873cc869

Download Submit
\Windows\SysWOW64\hotefix.exe

Filesize
198KB

MD5
690ab7dc3e868b95423e5a4988bd279e

SHA1
7404effaaf93b892026c22e865fe807b5f19a209

SHA256
bddfeef1bf1c1dd644d29fbbbccc8f1cc5a738c54cfdbaf5a444764cff41f304

SHA512
0ca39d84105ab8ad4a68b923e46c161c554b7b67b558c7d8f7295c35b5ebbb441e866fb13cebd8819108fca94fa75bec660acc70cf608ef2a3f42f6f2ddf4b53

Download Submit
memory/364-62-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download
memory/364-61-0x0000000002E20000-0x0000000002F30000-memory.dmp

Filesize
1.1MB

Download
memory/1036-60-0x0000000003670000-0x0000000004645000-memory.dmp

Filesize
15.8MB

Download
memory/1036-59-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download
memory/1036-54-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download
memory/1036-51-0x0000000002D90000-0x0000000002EA0000-memory.dmp

Filesize
1.1MB

Download
memory/1292-15-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download
memory/1292-27-0x0000000003640000-0x0000000004615000-memory.dmp

Filesize
15.8MB

Download
memory/1292-16-0x0000000002F40000-0x0000000003050000-memory.dmp

Filesize
1.1MB

Download
memory/1292-28-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download
memory/1292-21-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download
memory/2280-43-0x0000000003600000-0x00000000045D5000-memory.dmp

Filesize
15.8MB

Download
memory/2280-29-0x0000000002E30000-0x0000000002F40000-memory.dmp

Filesize
1.1MB

Download
memory/2280-38-0x0000000003600000-0x00000000045D5000-memory.dmp

Filesize
15.8MB

Download
memory/2280-37-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download
memory/2280-32-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download
memory/2360-20-0x0000000003610000-0x00000000045E5000-memory.dmp

Filesize
15.8MB

Download
memory/2360-1-0x0000000002E50000-0x0000000002F60000-memory.dmp

Filesize
1.1MB

Download
memory/2360-4-0x0000000003610000-0x00000000045E5000-memory.dmp

Filesize
15.8MB

Download
memory/2360-13-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download
memory/2360-14-0x0000000003610000-0x00000000045E5000-memory.dmp

Filesize
15.8MB

Download
memory/2360-0-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download
memory/2788-40-0x0000000002E90000-0x0000000002FA0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-49-0x0000000003680000-0x0000000004655000-memory.dmp

Filesize
15.8MB

Download
memory/2788-50-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download
memory/2788-44-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download
memory/2788-39-0x0000000000400000-0x00000000013D5000-memory.dmp

Filesize
15.8MB

Download

Analysis

Sharing