5f1f01835e23dc12848d99026f8db2f980cbdf80dfef7101a189a6b366513738

General

Target

1c6ae563b2c94e980afd2959051211c8.exe
Size

524KB
MD5

1c6ae563b2c94e980afd2959051211c8
SHA1

e4207761301d003f5be6d842ac7cb7da92065bdf
SHA256

5f1f01835e23dc12848d99026f8db2f980cbdf80dfef7101a189a6b366513738
SHA512

812d549b906f6b80e9918d61116ab32377a46098db53537563b9e917235d1f274d1d5af9d17d9a5cb001ebe6f10a199f0b4a9090fdf9f78b6e5168076c0d3060
SSDEEP

12288:2kDgRwZ3AJebm6k93MlR9QukBq6xGJOpqERypiI3i/XUJot:242JeSd93Mxx0GkpGpvkXU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1972	scvhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 1720	1972	scvhost.exe	97

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\scvhost.exe	1c6ae563b2c94e980afd2959051211c8.exe
File opened for modification	C:\Windows\system\scvhost.exe	1c6ae563b2c94e980afd2959051211c8.exe

Program crash 1 IoCs

pid	pid_target	Process
2660	1720	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 2576	4020	1c6ae563b2c94e980afd2959051211c8.exe	98
PID 4020 wrote to memory of 2576	4020	1c6ae563b2c94e980afd2959051211c8.exe	98
PID 4020 wrote to memory of 2576	4020	1c6ae563b2c94e980afd2959051211c8.exe	98
PID 1972 wrote to memory of 1720	1972	scvhost.exe	97
PID 1972 wrote to memory of 1720	1972	scvhost.exe	97
PID 1972 wrote to memory of 1720	1972	scvhost.exe	97
PID 1972 wrote to memory of 1720	1972	scvhost.exe	97
PID 1972 wrote to memory of 1720	1972	scvhost.exe	97

C:\Users\Admin\AppData\Local\Temp\1c6ae563b2c94e980afd2959051211c8.exe
"C:\Users\Admin\AppData\Local\Temp\1c6ae563b2c94e980afd2959051211c8.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\4915.bat
  2⤵
  PID:2576

C:\Windows\system\scvhost.exe
C:\Windows\system\scvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe" 12345
  2⤵
  PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1720 -ip 1720
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 12
1⤵
- Program crash
PID:2660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4915.bat

Filesize
198B

MD5
f1d540d3f48ef15749935f1b3fcd4bfc

SHA1
d12c9bf75ca34ee840646b28f914fece95f27a1e

SHA256
85c9bb29655a0a2c45cd5a11a6ab5b028d631bfe85a32b49010849cb956b3fc1

SHA512
447b93ccb8178676d7c9ed288ba3e28430d168371ffda2384a06bc5fd889ccc47cd8a0df71112ff9299cdcff9485af578482c756b5aa48c51b20d02ed1d12095

Download Submit
C:\Windows\System\scvhost.exe

Filesize
524KB

MD5
1c6ae563b2c94e980afd2959051211c8

SHA1
e4207761301d003f5be6d842ac7cb7da92065bdf

SHA256
5f1f01835e23dc12848d99026f8db2f980cbdf80dfef7101a189a6b366513738

SHA512
812d549b906f6b80e9918d61116ab32377a46098db53537563b9e917235d1f274d1d5af9d17d9a5cb001ebe6f10a199f0b4a9090fdf9f78b6e5168076c0d3060

Download Submit
C:\Windows\system\scvhost.exe

Filesize
442KB

MD5
8a107c6b654c1ea00dda0820385025c1

SHA1
37b89275c6a96e3576f47c3e8940b03036abdae9

SHA256
7ae5defc2e1a37489aacf3d9f4f975ce6d6a1159eb5c952097a9b979ac09ab9a

SHA512
90911271fbff35ffecce2ca5a26a63754c3d2264f505c12a6c2fc6e74cc469f6cdf11bcf5ba597bdf3724b931506e0f53038bc850cc0e14cf267509a6b8b4cdd

Download Submit
memory/1720-34-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1972-27-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1972-32-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/1972-33-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/1972-28-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1972-38-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/1972-41-0x0000000000E50000-0x0000000000EAA000-memory.dmp

Filesize
360KB

Download
memory/1972-36-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/1972-31-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/1972-26-0x0000000000E50000-0x0000000000EAA000-memory.dmp

Filesize
360KB

Download
memory/1972-25-0x0000000000400000-0x00000000004DA208-memory.dmp

Filesize
872KB

Download
memory/1972-40-0x0000000000400000-0x00000000004DA208-memory.dmp

Filesize
872KB

Download
memory/4020-11-0x0000000003210000-0x0000000003213000-memory.dmp

Filesize
12KB

Download
memory/4020-0-0x0000000000400000-0x00000000004DA208-memory.dmp

Filesize
872KB

Download
memory/4020-18-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/4020-17-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/4020-16-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/4020-15-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/4020-14-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/4020-12-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4020-13-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4020-19-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/4020-37-0x00000000007E0000-0x000000000083A000-memory.dmp

Filesize
360KB

Download
memory/4020-35-0x0000000000400000-0x00000000004DA208-memory.dmp

Filesize
872KB

Download
memory/4020-10-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/4020-9-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/4020-5-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4020-8-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/4020-4-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4020-3-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4020-2-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/4020-1-0x00000000007E0000-0x000000000083A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads