a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d

General

Target

a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe
Size

1.2MB
MD5

46f833cf3228b0e914e93ff760184c87
SHA1

f4af24210a0f6ed242dc59881cc53d097efae774
SHA256

a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d
SHA512

f8e21dac7ea6180979c205a050e46d91ed4ebf96b564f0261c91fa46cb41a637733aad3fee3af0864192d3f6e2c531a4f86ee246fbf6cae5e42afac37df6a722
SSDEEP

24576:gqDEvCTbMWu7rQYlBQcBiT6rprG8acxgklKJVhKZNQFc++83nl:gTvC/MTQYxsWR7ac9lKVhK7QFT

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2892 set thread context of 3012	2892	a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe	28
PID 3012 set thread context of 1244	3012	svchost.exe	21
PID 3012 set thread context of 3016	3012	svchost.exe	29
PID 3016 set thread context of 1244	3016	dvdplay.exe	21

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe
3016	dvdplay.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2892	a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe
3012	svchost.exe
1244	Explorer.EXE
1244	Explorer.EXE
3016	dvdplay.exe
3016	dvdplay.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2892	a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe
2892	a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2892	a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe
2892	a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 3012	2892	a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe	28
PID 2892 wrote to memory of 3012	2892	a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe	28
PID 2892 wrote to memory of 3012	2892	a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe	28
PID 2892 wrote to memory of 3012	2892	a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe	28
PID 2892 wrote to memory of 3012	2892	a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe	28
PID 1244 wrote to memory of 3016	1244	Explorer.EXE	29
PID 1244 wrote to memory of 3016	1244	Explorer.EXE	29
PID 1244 wrote to memory of 3016	1244	Explorer.EXE	29
PID 1244 wrote to memory of 3016	1244	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe
  "C:\Users\Admin\AppData\Local\Temp\a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\a0cfae4f558c1cba3d3240db7c1e77f0dd1752800b07d33433ecfe8473e5657d.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3012
- C:\Windows\SysWOW64\dvdplay.exe
  "C:\Windows\SysWOW64\dvdplay.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Allene

Filesize
252KB

MD5
39d849f136ca94b0ac8daf20dc216cb8

SHA1
806f776a318555ce778ac215a364f1e3c2bb8d13

SHA256
8d8fbc4a9e769fde9f1696e88c8ca8f320ccfb10c30b1745357b07cba2cd2d3f

SHA512
31492455186b5b4082a60021468edb56f953b4c7d276d398ddc9fc29927c9cf173bb7a6fef7eee9351fff4b3915c7c855f302e0be5c9621244e24bfd00c60c7b

Download Submit
memory/1244-26-0x0000000008C50000-0x000000000B7FC000-memory.dmp

Filesize
43.7MB

Download
memory/1244-18-0x0000000008C50000-0x000000000B7FC000-memory.dmp

Filesize
43.7MB

Download
memory/2892-11-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/3012-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3012-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3012-17-0x0000000000210000-0x0000000000233000-memory.dmp

Filesize
140KB

Download
memory/3012-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3012-13-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/3012-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3012-22-0x0000000000210000-0x0000000000233000-memory.dmp

Filesize
140KB

Download
memory/3012-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-20-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/3016-23-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/3016-24-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/3016-25-0x0000000000520000-0x00000000005C2000-memory.dmp

Filesize
648KB

Download
memory/3016-19-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/3016-27-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/3016-28-0x0000000000520000-0x00000000005C2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing