97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012

General

Target

97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe
Size

1.4MB
MD5

2f0d1effca8e06f489035a1e1facc192
SHA1

fd96f6c801e4791c82d2c7cf44c7a829d95a946b
SHA256

97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012
SHA512

a8deb4a624d5d83c1c5aa98aa986dd9ae0b261a9e57066853e2187fc9ea25308e1d1e072efe80d76e569ff93734a75447566c9a31f5b0536fae532383075166f
SSDEEP

24576:Y4U6dqpfTTGiyfhy584ihQuL87Etqq6vOSpd57vwvN4j6Ii3Vke3u:Y4XwppyU+87jd57v243akj

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 1672	2328	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 1672 set thread context of 1356	1672	calc.exe	6
PID 1672 set thread context of 2576	1672	calc.exe	29
PID 2576 set thread context of 1356	2576	wextract.exe	6

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1672	calc.exe
1672	calc.exe
1672	calc.exe
1672	calc.exe
1672	calc.exe
1672	calc.exe
1672	calc.exe
1672	calc.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe
2576	wextract.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1672	calc.exe
1356	Explorer.EXE
1356	Explorer.EXE
2576	wextract.exe
2576	wextract.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1672	2328	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2328 wrote to memory of 1672	2328	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2328 wrote to memory of 1672	2328	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2328 wrote to memory of 1672	2328	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2328 wrote to memory of 1672	2328	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2328 wrote to memory of 1672	2328	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2328 wrote to memory of 1672	2328	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 1356 wrote to memory of 2576	1356	Explorer.EXE	29
PID 1356 wrote to memory of 2576	1356	Explorer.EXE	29
PID 1356 wrote to memory of 2576	1356	Explorer.EXE	29
PID 1356 wrote to memory of 2576	1356	Explorer.EXE	29
PID 1356 wrote to memory of 2576	1356	Explorer.EXE	29
PID 1356 wrote to memory of 2576	1356	Explorer.EXE	29
PID 1356 wrote to memory of 2576	1356	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe
  "C:\Users\Admin\AppData\Local\Temp\97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SYSWOW64\calc.exe
    "C:\Windows\SYSWOW64\calc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1672
- C:\Windows\SysWOW64\wextract.exe
  "C:\Windows\SysWOW64\wextract.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-13-0x0000000003AA0000-0x0000000003BA0000-memory.dmp

Filesize
1024KB

Download
memory/1356-22-0x0000000008B60000-0x0000000008F9F000-memory.dmp

Filesize
4.2MB

Download
memory/1356-14-0x0000000008B60000-0x0000000008F9F000-memory.dmp

Filesize
4.2MB

Download
memory/1672-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-18-0x00000000001D0000-0x00000000001F2000-memory.dmp

Filesize
136KB

Download
memory/1672-8-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download
memory/1672-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-12-0x00000000001D0000-0x00000000001F2000-memory.dmp

Filesize
136KB

Download
memory/2328-2-0x0000000000A70000-0x0000000000A8A000-memory.dmp

Filesize
104KB

Download
memory/2328-3-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/2328-4-0x00000000020F0000-0x0000000002182000-memory.dmp

Filesize
584KB

Download
memory/2328-6-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2328-1-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2328-0-0x0000000000B80000-0x0000000000CE8000-memory.dmp

Filesize
1.4MB

Download
memory/2576-15-0x00000000000F0000-0x000000000012A000-memory.dmp

Filesize
232KB

Download
memory/2576-16-0x00000000000F0000-0x000000000012A000-memory.dmp

Filesize
232KB

Download
memory/2576-20-0x00000000000F0000-0x000000000012A000-memory.dmp

Filesize
232KB

Download
memory/2576-19-0x00000000026A0000-0x00000000029A3000-memory.dmp

Filesize
3.0MB

Download
memory/2576-21-0x0000000000C50000-0x0000000000CF1000-memory.dmp

Filesize
644KB

Download
memory/2576-23-0x00000000000F0000-0x000000000012A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing