a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e

Analysis

max time kernel
148s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe
Size

444KB
MD5

1e4d723b2447d43d9f4ebfd9fe9025a2
SHA1

5ff6bfdcbf1267c72e7cf30675eed151faf7ba0a
SHA256

a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e
SHA512

223a9ce11903622db60a523c858f15542abb68f3570f67cf60f75c2feaf5eace35dda6dec4d8bfd19aa4df1e2444a56994693371389e3e7607f36cd5b34ab2cc
SSDEEP

12288:MjopgNOAoHDhearix+dg6pUpFKW0yNqwEAEdzCDnleZF9W:oopaoH9earixM7MFHKie

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	5DF8.tmp

Loads dropped DLL 2 IoCs

pid	Process
1924	a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe
1924	a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FSTOCK.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IETAG.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPSRVUTL.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	5DF8.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\VBAJET32.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CDLMSO.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EntityPicker.dll	5DF8.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSETUP.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ENVELOPE.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\hxds.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACETXT.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1XTOR.DLL	5DF8.tmp
File opened for modification	C:\Program Files\7-Zip\7z.sfx	5DF8.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEOLEDB.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\MSB1FREN.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\DBGHELP.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACER3X.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKExcel.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	5DF8.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACERCLR.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pidgenx.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RICHED20.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\USP10.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPWEC.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\weblink.api	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\msitss55.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MOFL.DLL	5DF8.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	5DF8.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2160	1924	WerFault.exe	27

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1708	1924	a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe	29
PID 1924 wrote to memory of 1708	1924	a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe	29
PID 1924 wrote to memory of 1708	1924	a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe	29
PID 1924 wrote to memory of 1708	1924	a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe	29
PID 1924 wrote to memory of 2160	1924	a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe	28
PID 1924 wrote to memory of 2160	1924	a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe	28
PID 1924 wrote to memory of 2160	1924	a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe	28
PID 1924 wrote to memory of 2160	1924	a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe	28

C:\Users\Admin\AppData\Local\Temp\a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe
"C:\Users\Admin\AppData\Local\Temp\a6788882a4b16055a1c75ba55c82bef853623bf6fc692a18784552b963e77d2e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 200
  2⤵
  - Program crash
  PID:2160
- C:\Users\Admin\AppData\Local\Temp\5DF8.tmp
  C:\Users\Admin\AppData\Local\Temp\5DF8.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\5DF8.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/1924-1-0x0000000000240000-0x000000000027E000-memory.dmp

Filesize
248KB

Download
memory/1924-3-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1924-2-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1924-5-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads