30bd4388ee57835bfa75a55c8f69d185854003b8bbd6afc0ab0ec1fc80ce5263

General

Target

0ccb39aeea88ed05320590ea73be52f7.exe
Size

133KB
MD5

0ccb39aeea88ed05320590ea73be52f7
SHA1

37ad28601bbd075a444b5d3ded3b945d64efc5dc
SHA256

30bd4388ee57835bfa75a55c8f69d185854003b8bbd6afc0ab0ec1fc80ce5263
SHA512

6529107f7242b535b18ffd8073b70ff9745b602d8de19d3af82e31736cdf4fc4ff3aa74cacc2909495725a35d00d38b092dffe78d47e03f9cb5935235736863e
SSDEEP

1536:/3gGHj+7mx2ySFb/KrEjAu2HMpNr+3L6Iwc4vyyHI3:IAj/pK/KrUAuVpZHB6yH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2176	TracL.exe
5044	TracL.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TracL.exe	0ccb39aeea88ed05320590ea73be52f7.exe
File opened for modification	C:\Windows\SysWOW64\TracL.exe	0ccb39aeea88ed05320590ea73be52f7.exe
File created	C:\Windows\SysWOW64\TracL.exe	TracL.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4452 set thread context of 5104	4452	0ccb39aeea88ed05320590ea73be52f7.exe	91
PID 2176 set thread context of 5044	2176	TracL.exe	93
PID 5104 set thread context of 2928	5104	0ccb39aeea88ed05320590ea73be52f7.exe	96
PID 5044 set thread context of 5084	5044	TracL.exe	95

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4452	0ccb39aeea88ed05320590ea73be52f7.exe
2176	TracL.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 5104	4452	0ccb39aeea88ed05320590ea73be52f7.exe	91
PID 4452 wrote to memory of 5104	4452	0ccb39aeea88ed05320590ea73be52f7.exe	91
PID 4452 wrote to memory of 5104	4452	0ccb39aeea88ed05320590ea73be52f7.exe	91
PID 4452 wrote to memory of 5104	4452	0ccb39aeea88ed05320590ea73be52f7.exe	91
PID 4452 wrote to memory of 5104	4452	0ccb39aeea88ed05320590ea73be52f7.exe	91
PID 4452 wrote to memory of 5104	4452	0ccb39aeea88ed05320590ea73be52f7.exe	91
PID 4452 wrote to memory of 5104	4452	0ccb39aeea88ed05320590ea73be52f7.exe	91
PID 4452 wrote to memory of 5104	4452	0ccb39aeea88ed05320590ea73be52f7.exe	91
PID 4452 wrote to memory of 5104	4452	0ccb39aeea88ed05320590ea73be52f7.exe	91
PID 2176 wrote to memory of 5044	2176	TracL.exe	93
PID 2176 wrote to memory of 5044	2176	TracL.exe	93
PID 2176 wrote to memory of 5044	2176	TracL.exe	93
PID 2176 wrote to memory of 5044	2176	TracL.exe	93
PID 2176 wrote to memory of 5044	2176	TracL.exe	93
PID 2176 wrote to memory of 5044	2176	TracL.exe	93
PID 2176 wrote to memory of 5044	2176	TracL.exe	93
PID 2176 wrote to memory of 5044	2176	TracL.exe	93
PID 2176 wrote to memory of 5044	2176	TracL.exe	93
PID 5104 wrote to memory of 2928	5104	0ccb39aeea88ed05320590ea73be52f7.exe	96
PID 5104 wrote to memory of 2928	5104	0ccb39aeea88ed05320590ea73be52f7.exe	96
PID 5104 wrote to memory of 2928	5104	0ccb39aeea88ed05320590ea73be52f7.exe	96
PID 5104 wrote to memory of 2928	5104	0ccb39aeea88ed05320590ea73be52f7.exe	96
PID 5044 wrote to memory of 5084	5044	TracL.exe	95
PID 5044 wrote to memory of 5084	5044	TracL.exe	95
PID 5044 wrote to memory of 5084	5044	TracL.exe	95
PID 5044 wrote to memory of 5084	5044	TracL.exe	95

C:\Users\Admin\AppData\Local\Temp\0ccb39aeea88ed05320590ea73be52f7.exe
"C:\Users\Admin\AppData\Local\Temp\0ccb39aeea88ed05320590ea73be52f7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\0ccb39aeea88ed05320590ea73be52f7.exe
  "C:\Users\Admin\AppData\Local\Temp\0ccb39aeea88ed05320590ea73be52f7.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2928

C:\Windows\SysWOW64\TracL.exe
C:\Windows\SysWOW64\TracL.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\TracL.exe
  "C:\Windows\SysWOW64\TracL.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:5084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\TracL.exe

Filesize
133KB

MD5
0ccb39aeea88ed05320590ea73be52f7

SHA1
37ad28601bbd075a444b5d3ded3b945d64efc5dc

SHA256
30bd4388ee57835bfa75a55c8f69d185854003b8bbd6afc0ab0ec1fc80ce5263

SHA512
6529107f7242b535b18ffd8073b70ff9745b602d8de19d3af82e31736cdf4fc4ff3aa74cacc2909495725a35d00d38b092dffe78d47e03f9cb5935235736863e

Download Submit
memory/2176-18-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2928-24-0x0000000000750000-0x0000000000754000-memory.dmp

Filesize
16KB

Download
memory/2928-33-0x0000000000750000-0x0000000000754000-memory.dmp

Filesize
16KB

Download
memory/4452-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4452-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5044-29-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5044-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5044-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5084-26-0x0000000000B50000-0x0000000000B54000-memory.dmp

Filesize
16KB

Download
memory/5084-25-0x0000000000B50000-0x0000000000B54000-memory.dmp

Filesize
16KB

Download
memory/5084-23-0x0000000000B50000-0x0000000000B54000-memory.dmp

Filesize
16KB

Download
memory/5084-27-0x0000000000B50000-0x0000000000B54000-memory.dmp

Filesize
16KB

Download
memory/5084-30-0x0000000000B50000-0x0000000000B54000-memory.dmp

Filesize
16KB

Download
memory/5104-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-3-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing