8aa82fd500e80cc53263f05b916ea7a4a0eb3ed5b54ce3ed98e02fff45d739f5

General

Target

5c093f72d1ac9fa97d0d5289655e7d74.exe
Size

46KB
MD5

5c093f72d1ac9fa97d0d5289655e7d74
SHA1

9b8fd11233416fe520cda2be289775850bbf3cd1
SHA256

8aa82fd500e80cc53263f05b916ea7a4a0eb3ed5b54ce3ed98e02fff45d739f5
SHA512

a7940f1505eef9e345f0f2d6a0eb3b96adabbb3955a65de55e1e10166aceef676991fe56aafad18fa459d2b706ba234e6692384400dbed47c27b863a217009b9
SSDEEP

768:Y4rPIkz0ABBt5BeIPH/ceMdehVikgsGhbfk3p9g0MUnl+vb/ebWI17hhfCEX:mkzLz9/hMdyEkgsF3p9JMUnAT2a2hhfR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
228	cfgload32.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File opened for modification	C:\Windows\SysWOW64\cfgload32.exe	5c093f72d1ac9fa97d0d5289655e7d74.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe	5c093f72d1ac9fa97d0d5289655e7d74.exe
File created	C:\Windows\SysWOW64\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe
File created	C:\Windows\SysWOW64\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe\cfgload32.exe	cfgload32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1508	5c093f72d1ac9fa97d0d5289655e7d74.exe
1508	5c093f72d1ac9fa97d0d5289655e7d74.exe
228	cfgload32.exe
228	cfgload32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4676	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 228	1508	5c093f72d1ac9fa97d0d5289655e7d74.exe	91
PID 1508 wrote to memory of 228	1508	5c093f72d1ac9fa97d0d5289655e7d74.exe	91
PID 1508 wrote to memory of 228	1508	5c093f72d1ac9fa97d0d5289655e7d74.exe	91

C:\Users\Admin\AppData\Local\Temp\5c093f72d1ac9fa97d0d5289655e7d74.exe
"C:\Users\Admin\AppData\Local\Temp\5c093f72d1ac9fa97d0d5289655e7d74.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\cfgload32.exe
  C:\Windows\system32\cfgload32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:228

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\cfgload32.exe

Filesize
46KB

MD5
5c093f72d1ac9fa97d0d5289655e7d74

SHA1
9b8fd11233416fe520cda2be289775850bbf3cd1

SHA256
8aa82fd500e80cc53263f05b916ea7a4a0eb3ed5b54ce3ed98e02fff45d739f5

SHA512
a7940f1505eef9e345f0f2d6a0eb3b96adabbb3955a65de55e1e10166aceef676991fe56aafad18fa459d2b706ba234e6692384400dbed47c27b863a217009b9

Download Submit
memory/228-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/228-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1508-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1508-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1508-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1508-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4676-29-0x00000203FF740000-0x00000203FF750000-memory.dmp

Filesize
64KB

Download
memory/4676-13-0x00000203FF640000-0x00000203FF650000-memory.dmp

Filesize
64KB

Download
memory/4676-45-0x00000203FFA10000-0x00000203FFA11000-memory.dmp

Filesize
4KB

Download
memory/4676-47-0x00000203FFA40000-0x00000203FFA41000-memory.dmp

Filesize
4KB

Download
memory/4676-49-0x00000203FFB50000-0x00000203FFB51000-memory.dmp

Filesize
4KB

Download
memory/4676-48-0x00000203FFA40000-0x00000203FFA41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing