88d2981e79ab8b2807b6b10844835a9e620597da14840933a32f207d11c66aa1

General

Target

scan documentss_doc.exe
Size

735KB
MD5

87d3bc65a5337421e00b883b31372659
SHA1

6f5c95a8676fddcb494967fdf5f3eb0b82125d10
SHA256

88d2981e79ab8b2807b6b10844835a9e620597da14840933a32f207d11c66aa1
SHA512

f76472c2ac74d10eaec318b27d0b6ed3e18dee2da701258579d2001eb94f8a1d61d54df145026854fffe8fe96391c0a152963df8378a6e64015764f7a11dbd57
SSDEEP

12288:ru3Zy8ziel8HYbCI+IkGL/VRwJcqwCb5HJh5rdcQet6QpOYtHwJJoOLN8keASP:ru3ZTzeYbhkGzXwyqX5pzrvQpOmOLN8J

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 2664	1720	scan documentss_doc.exe	28
PID 2664 set thread context of 1240	2664	scan documentss_doc.exe	10
PID 2664 set thread context of 2504	2664	scan documentss_doc.exe	31
PID 2504 set thread context of 1240	2504	nslookup.exe	10

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2664	scan documentss_doc.exe
2664	scan documentss_doc.exe
2664	scan documentss_doc.exe
2664	scan documentss_doc.exe
2664	scan documentss_doc.exe
2664	scan documentss_doc.exe
2664	scan documentss_doc.exe
2664	scan documentss_doc.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe
2504	nslookup.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2664	scan documentss_doc.exe
1240	Explorer.EXE
1240	Explorer.EXE
2504	nslookup.exe
2504	nslookup.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2664	1720	scan documentss_doc.exe	28
PID 1720 wrote to memory of 2664	1720	scan documentss_doc.exe	28
PID 1720 wrote to memory of 2664	1720	scan documentss_doc.exe	28
PID 1720 wrote to memory of 2664	1720	scan documentss_doc.exe	28
PID 1720 wrote to memory of 2664	1720	scan documentss_doc.exe	28
PID 1720 wrote to memory of 2664	1720	scan documentss_doc.exe	28
PID 1720 wrote to memory of 2664	1720	scan documentss_doc.exe	28
PID 1240 wrote to memory of 2504	1240	Explorer.EXE	31
PID 1240 wrote to memory of 2504	1240	Explorer.EXE	31
PID 1240 wrote to memory of 2504	1240	Explorer.EXE	31
PID 1240 wrote to memory of 2504	1240	Explorer.EXE	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\scan documentss_doc.exe
  "C:\Users\Admin\AppData\Local\Temp\scan documentss_doc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\scan documentss_doc.exe
    "C:\Users\Admin\AppData\Local\Temp\scan documentss_doc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2664
- C:\Windows\SysWOW64\nslookup.exe
  "C:\Windows\SysWOW64\nslookup.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-18-0x0000000003B00000-0x0000000003D00000-memory.dmp

Filesize
2.0MB

Download
memory/1240-19-0x00000000088F0000-0x000000000A9E8000-memory.dmp

Filesize
33.0MB

Download
memory/1240-28-0x00000000088F0000-0x000000000A9E8000-memory.dmp

Filesize
33.0MB

Download
memory/1720-12-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-1-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-2-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1720-3-0x0000000000540000-0x0000000000554000-memory.dmp

Filesize
80KB

Download
memory/1720-4-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/1720-5-0x0000000000780000-0x000000000078E000-memory.dmp

Filesize
56KB

Download
memory/1720-6-0x0000000004330000-0x00000000043B6000-memory.dmp

Filesize
536KB

Download
memory/1720-0-0x0000000000B30000-0x0000000000BEE000-memory.dmp

Filesize
760KB

Download
memory/2504-29-0x00000000000C0000-0x00000000000FC000-memory.dmp

Filesize
240KB

Download
memory/2504-25-0x00000000000C0000-0x00000000000FC000-memory.dmp

Filesize
240KB

Download
memory/2504-24-0x0000000002110000-0x0000000002413000-memory.dmp

Filesize
3.0MB

Download
memory/2504-26-0x0000000001DC0000-0x0000000001E5C000-memory.dmp

Filesize
624KB

Download
memory/2504-21-0x00000000000C0000-0x00000000000FC000-memory.dmp

Filesize
240KB

Download
memory/2504-30-0x0000000001DC0000-0x0000000001E5C000-memory.dmp

Filesize
624KB

Download
memory/2504-20-0x00000000000C0000-0x00000000000FC000-memory.dmp

Filesize
240KB

Download
memory/2664-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-17-0x00000000001A0000-0x00000000001BD000-memory.dmp

Filesize
116KB

Download
memory/2664-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-23-0x00000000001A0000-0x00000000001BD000-memory.dmp

Filesize
116KB

Download
memory/2664-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-13-0x0000000000BF0000-0x0000000000EF3000-memory.dmp

Filesize
3.0MB

Download
memory/2664-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing