669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e

General

Target

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
Size

1.4MB
MD5

8ecf2c490c81dfc195a95d51033f2e55
SHA1

555dcc02731ea5df031260a9f94141a6e8301b17
SHA256

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e
SHA512

8431bd38f923d05db9acbaa4b79ed88a5f5c625bf3df2380c072fad5aa7fbdc714ab08eccb46cda50b1da4117684a05a795bcc51d9629499f637b1a927a3595b
SSDEEP

24576:IqDEvCTbMWu7rQYlBQcBiT6rprG8aDSMUB220ZTSVspjHPYnczgFh8OhdQcK:ITvC/MTQYxsWR7aDSjB2hTSu5WLr8OvT

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 19 IoCs

Processes:

name.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exe

pid	process
2508	name.exe
2724	name.exe
2360	name.exe
1044	name.exe
2824	name.exe
2464	name.exe
328	name.exe
344	name.exe
1636	name.exe
2244	name.exe
3044	name.exe
432	name.exe
2064	name.exe
2884	name.exe
1520	name.exe
2896	name.exe
1464	name.exe
2456	name.exe
2600	name.exe

Loads dropped DLL 1 IoCs

Processes:

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe

pid process

1504 669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\directory\name.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\name.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\name.exe	autoit_exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exe

pid	process
1504	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
1504	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
2508	name.exe
2508	name.exe
2724	name.exe
2724	name.exe
2360	name.exe
2360	name.exe
1044	name.exe
1044	name.exe
2824	name.exe
2824	name.exe
2824	name.exe
2464	name.exe
2464	name.exe
2464	name.exe
328	name.exe
328	name.exe
344	name.exe
344	name.exe
344	name.exe
1636	name.exe
1636	name.exe
2244	name.exe
2244	name.exe
3044	name.exe
3044	name.exe
432	name.exe
432	name.exe
2064	name.exe
2064	name.exe
2884	name.exe
2884	name.exe
1520	name.exe
1520	name.exe
2896	name.exe
2896	name.exe
1464	name.exe
1464	name.exe
2456	name.exe
2456	name.exe
2600	name.exe
2600	name.exe

Suspicious use of SendNotifyMessage 43 IoCs

Processes:

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exe

pid	process
1504	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
1504	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
2508	name.exe
2508	name.exe
2724	name.exe
2724	name.exe
2360	name.exe
2360	name.exe
1044	name.exe
1044	name.exe
2824	name.exe
2824	name.exe
2824	name.exe
2464	name.exe
2464	name.exe
2464	name.exe
328	name.exe
328	name.exe
344	name.exe
344	name.exe
344	name.exe
1636	name.exe
1636	name.exe
2244	name.exe
2244	name.exe
3044	name.exe
3044	name.exe
432	name.exe
432	name.exe
2064	name.exe
2064	name.exe
2884	name.exe
2884	name.exe
1520	name.exe
1520	name.exe
2896	name.exe
2896	name.exe
1464	name.exe
1464	name.exe
2456	name.exe
2456	name.exe
2600	name.exe
2600	name.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exe

description	pid	process	target process
PID 1504 wrote to memory of 2508	1504	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe	name.exe
PID 1504 wrote to memory of 2508	1504	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe	name.exe
PID 1504 wrote to memory of 2508	1504	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe	name.exe
PID 1504 wrote to memory of 2508	1504	669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe	name.exe
PID 2508 wrote to memory of 2724	2508	name.exe	name.exe
PID 2508 wrote to memory of 2724	2508	name.exe	name.exe
PID 2508 wrote to memory of 2724	2508	name.exe	name.exe
PID 2508 wrote to memory of 2724	2508	name.exe	name.exe
PID 2724 wrote to memory of 2360	2724	name.exe	name.exe
PID 2724 wrote to memory of 2360	2724	name.exe	name.exe
PID 2724 wrote to memory of 2360	2724	name.exe	name.exe
PID 2724 wrote to memory of 2360	2724	name.exe	name.exe
PID 2360 wrote to memory of 1044	2360	name.exe	name.exe
PID 2360 wrote to memory of 1044	2360	name.exe	name.exe
PID 2360 wrote to memory of 1044	2360	name.exe	name.exe
PID 2360 wrote to memory of 1044	2360	name.exe	name.exe
PID 1044 wrote to memory of 2824	1044	name.exe	name.exe
PID 1044 wrote to memory of 2824	1044	name.exe	name.exe
PID 1044 wrote to memory of 2824	1044	name.exe	name.exe
PID 1044 wrote to memory of 2824	1044	name.exe	name.exe
PID 2824 wrote to memory of 2464	2824	name.exe	name.exe
PID 2824 wrote to memory of 2464	2824	name.exe	name.exe
PID 2824 wrote to memory of 2464	2824	name.exe	name.exe
PID 2824 wrote to memory of 2464	2824	name.exe	name.exe
PID 2464 wrote to memory of 328	2464	name.exe	name.exe
PID 2464 wrote to memory of 328	2464	name.exe	name.exe
PID 2464 wrote to memory of 328	2464	name.exe	name.exe
PID 2464 wrote to memory of 328	2464	name.exe	name.exe
PID 328 wrote to memory of 344	328	name.exe	name.exe
PID 328 wrote to memory of 344	328	name.exe	name.exe
PID 328 wrote to memory of 344	328	name.exe	name.exe
PID 328 wrote to memory of 344	328	name.exe	name.exe
PID 344 wrote to memory of 1636	344	name.exe	name.exe
PID 344 wrote to memory of 1636	344	name.exe	name.exe
PID 344 wrote to memory of 1636	344	name.exe	name.exe
PID 344 wrote to memory of 1636	344	name.exe	name.exe
PID 1636 wrote to memory of 2244	1636	name.exe	name.exe
PID 1636 wrote to memory of 2244	1636	name.exe	name.exe
PID 1636 wrote to memory of 2244	1636	name.exe	name.exe
PID 1636 wrote to memory of 2244	1636	name.exe	name.exe
PID 2244 wrote to memory of 3044	2244	name.exe	name.exe
PID 2244 wrote to memory of 3044	2244	name.exe	name.exe
PID 2244 wrote to memory of 3044	2244	name.exe	name.exe
PID 2244 wrote to memory of 3044	2244	name.exe	name.exe
PID 3044 wrote to memory of 432	3044	name.exe	name.exe
PID 3044 wrote to memory of 432	3044	name.exe	name.exe
PID 3044 wrote to memory of 432	3044	name.exe	name.exe
PID 3044 wrote to memory of 432	3044	name.exe	name.exe
PID 432 wrote to memory of 2064	432	name.exe	name.exe
PID 432 wrote to memory of 2064	432	name.exe	name.exe
PID 432 wrote to memory of 2064	432	name.exe	name.exe
PID 432 wrote to memory of 2064	432	name.exe	name.exe
PID 2064 wrote to memory of 2884	2064	name.exe	name.exe
PID 2064 wrote to memory of 2884	2064	name.exe	name.exe
PID 2064 wrote to memory of 2884	2064	name.exe	name.exe
PID 2064 wrote to memory of 2884	2064	name.exe	name.exe
PID 2884 wrote to memory of 1520	2884	name.exe	name.exe
PID 2884 wrote to memory of 1520	2884	name.exe	name.exe
PID 2884 wrote to memory of 1520	2884	name.exe	name.exe
PID 2884 wrote to memory of 1520	2884	name.exe	name.exe
PID 1520 wrote to memory of 2896	1520	name.exe	name.exe
PID 1520 wrote to memory of 2896	1520	name.exe	name.exe
PID 1520 wrote to memory of 2896	1520	name.exe	name.exe
PID 1520 wrote to memory of 2896	1520	name.exe	name.exe

C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:328

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:344

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
10⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
11⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
12⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
13⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
14⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
15⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
16⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
17⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
18⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
19⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2456

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
20⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ageless

Filesize
29KB

MD5
ffa2e5ab3b36f5f9ae74cff2a038c1d4

SHA1
8ed7f9cf5089d8361dac06205f5d4567dd8006f9

SHA256
afb5de202275b56fd3f692015b0ce44536db0db7659d392f9dc94d58da87c8f7

SHA512
4775cfe9550daa79fae22c204b118bffc293059110250456b69b6539594d0d3dbe7dedec6cc53aea1890d88340489a993312f0d887453d3702f8a12c7cbb2492

Download Submit
C:\Users\Admin\AppData\Local\Temp\autC9A5.tmp

Filesize
413KB

MD5
949169beca0db71049f399b967f83788

SHA1
44521a34b25e346477e11b9a3e9263fc155d26d1

SHA256
91242813006c5d4b13829eb58c0fafbd8db223f4e08c2b776a7913e81430d7de

SHA512
1439b96ba9a3641d9bc7c468d696c4ad3b216966bfba099a47ab67f78f0587b55628040afb62fb73b2c2fdccb443c4fb429d02f35c945069a2e348e4500170ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\autC9E5.tmp

Filesize
9KB

MD5
c800930f609777b6a62bdfb4e0f6d13c

SHA1
25a5607ea6e7a54390ed56f9132c875f8f03a072

SHA256
7c548d6f2a8da0f0f6f446e3e50b2ee13b797a52322a5f2c603d5e1868655d02

SHA512
038b8820b95566a9e141f80e6cacfad70926b4e325c68ad0fef65f5fcd8d315421fb04465a4066dfc4f529a350c0cdb4f6a91c9fff6e28531ca2036875b4eaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scroll

Filesize
482KB

MD5
d0d973e17f4f9faff0bd11e10be35a45

SHA1
8f6f95ff9d4d5ec970e1ce58902122bd682d8828

SHA256
bc16cad3c5fcd0da9deb63a3ac44b660c6a979b1be970d526feff7cdae679f52

SHA512
2e34d179a064b44043350b80a44601a5732d5ee79b201ab517af64bd806a535550288f2d13c2e961e4ca58ef63a0009a5073233619f3e912e3643434e0520367

Download Submit
C:\Users\Admin\AppData\Local\Temp\scroll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
103.6MB

MD5
812b509162fd0cfa8639c0ec616c89cb

SHA1
47402066529ec1ba780f0d35c87bfa06349f04d7

SHA256
aad19d6fd19dffbf4eb34191ee1583d335e1ae2b870f45d81c2c2699234c2bf9

SHA512
15736c7bc6cf91c816fc4e06ad7392ca9e9fd16c45014b7911eb3f39bac2b3871420967041b77cf92a21230c7605fdef606eb5deccd0a740288d4bddc8593d16

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
64.0MB

MD5
c402cad57929e243c3e28c1ade94a387

SHA1
7a1f9436c6dbd1c796faf22b0a69656331f95310

SHA256
5c4e73229b88de07402afe5912a917d9210f5430c685385e07e3f96f3897c367

SHA512
629ceb31a120701360b1c036663accd366b5f06f1152694465dd954dde7f09ab5adf3243d1ee28e02d8684447153a17350bf284669c73df04daf24595b73ccef

Download Submit
\Users\Admin\AppData\Local\directory\name.exe

Filesize
105.4MB

MD5
0056f9f571a6d4505e4656120e52bb91

SHA1
535ec115c8cb2c6d4df4fd559aea28d5db2c3786

SHA256
9cde38faf842c3c313144020889056f582c4236bcd0de2fbc1fec6d406a78abd

SHA512
0a9d0112fa779ce00b2b66812c982f2afc6718486db94b4aa5698193b6e8a8616d0b34a471a449121eddb88f98c425b7636392bb6c24acdf5570d8edac2d03dd

Download Submit
memory/1504-10-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads