e0bdf191adb3626c0a6fec9c43b7339183ddc7afd31845393d9de9b9210b92bf

General

Target

1a1629b18c21bd85cdcd52f2f9f715dd.exe
Size

1.4MB
MD5

1a1629b18c21bd85cdcd52f2f9f715dd
SHA1

acdef85fb554993253ec0f8466b88f7c89212e83
SHA256

e0bdf191adb3626c0a6fec9c43b7339183ddc7afd31845393d9de9b9210b92bf
SHA512

54dbca6f8629fb493743d2b787af9d326872ee1fbaa9c4c314e0de73528c806cdc63d9c94edbd1ffb701d71fb2e8b45960749c8777c1297bf63a2be1737dac9f
SSDEEP

24576:S0CzsVUGO/58jXDhShkB/yxKiRc9gH8z/ppyw777rVo8z+Ql1FzwSlMu:izqOej2kB/yHAgcz/jyeaocSlMu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2544	77.exe
2604	360saf1.exe
2692	360saf1.exe

Loads dropped DLL 2 IoCs

pid	Process
824	1a1629b18c21bd85cdcd52f2f9f715dd.exe
824	1a1629b18c21bd85cdcd52f2f9f715dd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\360saf1.exe	77.exe
File opened for modification	C:\Windows\360saf1.exe	77.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2544	77.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
824	1a1629b18c21bd85cdcd52f2f9f715dd.exe
824	1a1629b18c21bd85cdcd52f2f9f715dd.exe
824	1a1629b18c21bd85cdcd52f2f9f715dd.exe
824	1a1629b18c21bd85cdcd52f2f9f715dd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2544	824	1a1629b18c21bd85cdcd52f2f9f715dd.exe	26
PID 824 wrote to memory of 2544	824	1a1629b18c21bd85cdcd52f2f9f715dd.exe	26
PID 824 wrote to memory of 2544	824	1a1629b18c21bd85cdcd52f2f9f715dd.exe	26
PID 824 wrote to memory of 2544	824	1a1629b18c21bd85cdcd52f2f9f715dd.exe	26
PID 2544 wrote to memory of 2604	2544	77.exe	25
PID 2544 wrote to memory of 2604	2544	77.exe	25
PID 2544 wrote to memory of 2604	2544	77.exe	25
PID 2544 wrote to memory of 2604	2544	77.exe	25
PID 2544 wrote to memory of 2708	2544	77.exe	22
PID 2544 wrote to memory of 2708	2544	77.exe	22
PID 2544 wrote to memory of 2708	2544	77.exe	22
PID 2544 wrote to memory of 2708	2544	77.exe	22

C:\Users\Admin\AppData\Local\Temp\1a1629b18c21bd85cdcd52f2f9f715dd.exe
"C:\Users\Admin\AppData\Local\Temp\1a1629b18c21bd85cdcd52f2f9f715dd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\77.exe
  C:\Users\Admin\AppData\Local\Temp\\77.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
  C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
  2⤵
  PID:1744
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
    3⤵
    PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\77.exe > nul
1⤵
PID:2708

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
PID:2704

C:\Windows\360saf1.exe
C:\Windows\360saf1.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\360saf1.exe
"C:\Windows\360saf1.exe"
1⤵
- Executes dropped EXE
PID:2604

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2
1⤵
PID:912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XX7VLQEY\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XX7VLQEY\dnserrordiagoff[2]

Filesize
1KB

MD5
47f581b112d58eda23ea8b2e08cf0ff0

SHA1
6ec1df5eaec1439573aef0fb96dabfc953305e5b

SHA256
b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

SHA512
187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XX7VLQEY\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\77.exe

Filesize
31KB

MD5
a78d03fdb023268833e60c4676335a86

SHA1
298b48caea19fb3ef2333c490427fffc7d28d208

SHA256
0fcbed45204a331614c2a9e911f39709775c6644939ca5f77d08ade9c5988444

SHA512
e9702ca220718b52784c3c10a6e8ff2746082686ab856462e08595848e02ee281d2263c1e1afed0aec6a5eb98e83beadcd6e1397aa3597f72c2db3cff6686168

Download Submit
memory/824-118-0x00000000029E0000-0x0000000002A00000-memory.dmp

Filesize
128KB

Download
memory/824-121-0x00000000029E0000-0x0000000002A00000-memory.dmp

Filesize
128KB

Download
memory/824-604-0x00000000029E0000-0x0000000002A00000-memory.dmp

Filesize
128KB

Download
memory/2704-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2704-22-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing