Analysis Overview
SHA256
7b6e4e165649e15323e01bb38124e14899e720ca7d2cf743a4ee166199c3fa79
Threat Level: Shows suspicious behavior
The file MsgDiyer.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
ASPack v2.12-2.42
Drops file in Windows directory
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-10 12:50
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 12:50
Reported
2024-05-10 12:53
Platform
win7-20240221-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\calibrib.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\CURLZ___.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\kalinga.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\SHOWG.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\arial.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\OLDENGL.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\LTYPEB.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\angsaz.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\GLSNECB.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\RAVIE.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\segoeprb.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\constanb.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\msgothic.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\plantc.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\upckbi.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\ARIALN.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\PAPYRUS.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\ITCBLKAD.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\mriam.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\tungab.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\upcji.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\BRUSHSCI.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\calibri.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\GILB____.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\HARNGTON.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\BELLI.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\SCRIPTBL.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\trebucbi.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\upcibi.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\BOD_I.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\CHILLER.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\MAIAN.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\Vanib.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\corbelb.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\gisha.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\iskpota.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\ROCKBI.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\simhei.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\verdana.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\aparaj.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\BOD_B.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\browaub.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\mingliu.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\cambria.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\courbi.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\FRADMIT.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\GLECB.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\ONYX.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\WINGDNG2.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\framdit.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\angsau.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\ANTQUAB.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\simsunb.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\MTCORSVA.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\upcil.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\BSSYM7.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\comic.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\GIGI.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\LTYPE.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\BAUHS93.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\estre.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\PERB____.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\webdings.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\AGENCYR.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2172 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2172 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2172 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2172 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2620 wrote to memory of 2536 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe |
| PID 2620 wrote to memory of 2536 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe |
| PID 2620 wrote to memory of 2536 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe |
| PID 2620 wrote to memory of 2536 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe
"C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c jieya.cmd
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe
cpio.exe -i
Network
Files
memory/2172-0-0x0000000000400000-0x00000000009FD000-memory.dmp
memory/2172-1-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\jieya.cmd
| MD5 | bf80c4e2a7662ca4790e5eb2b94deb63 |
| SHA1 | 7f4034ca5069a398b1fecc20076d20227629aa77 |
| SHA256 | af18207cb457354b44fa00be373e7a4506e34f1d777be842d75f72f769108a55 |
| SHA512 | f6dda989804faf8f5362ca55a3080a724a2ad6aa586cf820bd86ad2975e84d07fe9b56e0f41404aebf377db8770eb665a289e4884e5445ac6c567666e15275d8 |
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\msg
| MD5 | 968c337d23ea50d0f052438a6f0551ad |
| SHA1 | c9e7472dd013cb5b059566bd8c49a0459dbd977a |
| SHA256 | 44e48f412fc1b7bb31786f3680cddbf98f5b22603bfb4a32918ba83f21db28b8 |
| SHA512 | a770b3d3b3cf724aa3f3bb59b0f8c7cf19dfed8d05fc1089733fe1626ec69c931e0849d96097437625a3965278c8c60a2421ce860348c38409d8eac8ca30d983 |
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe
| MD5 | bf4826e42d3f7a0f663178d97b2bd923 |
| SHA1 | fc8db6821d8400efdcabb58a89f17413c1d0c986 |
| SHA256 | 34b18b2cdd21efbf6954fa0f9042d2967fdc22b2cbaa8a72b5a0e2cb2123b922 |
| SHA512 | 8615e8af72e0762983d623c727e94712ba237b942a24f7811c741d9feb94ed035e95d23252e3aad771578a92fe0725c044411ea49ae7c81843efdc6959b93e18 |
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\libintl3.dll
| MD5 | d202baa425176287017ffe1fb5d1b77c |
| SHA1 | 192e597d8ff0192f6c4e4643361f84277ed51121 |
| SHA256 | f48ce1866602b114e653c876334b771107559acf1c685373d2305034613958f0 |
| SHA512 | 706d74c56ce8d08539c729bdb6c8d57c9a4b0a1c795b8574a1bb2c452358e1bfd5d4fca5a00ab7568dea4ae02c553ce6ab199b3c6418a44cb8915f7e26bd2988 |
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\libiconv2.dll
| MD5 | b6a9e9e63a6cbfc6a593493c943938cb |
| SHA1 | 8145e25be5d15ef3105073265ee05f04d836cd82 |
| SHA256 | 72d73c3238e92208269b9d401b4598987116ea4fcafd91e249b3b9b558d022ff |
| SHA512 | 7a7f49811a1e0cbe0060a7334898ca6cfb9cc63f3c76af64445d178d46fad18db6fad024a84f284a2ee2170aa2d38fd79d925d1cc25592a77eeee9aec15567e5 |
memory/2536-53-0x0000000060E40000-0x0000000060E5D000-memory.dmp
memory/2536-52-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2536-54-0x0000000068080000-0x0000000068174000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\16x16.fnt
| MD5 | 8f64119f1795aef752fa9456946159e7 |
| SHA1 | eac57164e63db3838c79362fe7f548f166048e2d |
| SHA256 | 89fa6c39de2e6b79c1a182e7f87529a6583a05fd032bbb46f85070f6ce19afde |
| SHA512 | bdb1f07c9d2a9fcafde463095386a53ccdfdaf05fb8166e7628be8f569aa57b686c314edac231714678749d3ffaf18982ec437c6f36492bf92629f3ffc259d7c |
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\gfxboot.cfg
| MD5 | f4b957cf633b256498cf476be34a6fa0 |
| SHA1 | 7fa4bf5d3267216974b063ea9306ce6da730adc8 |
| SHA256 | 95a408d57193b1ff25726060c7a1c1bdb0e5fbbbbd43a53d9460a2215d261532 |
| SHA512 | 9885f2d6161b0f395bfad1fe66ce493956a599120395c09207574ac1cd599b3dfbd2a1087169cc4c237e28ddd1fdbcb035b5a04c85c47290523fed2a88b4fe2a |
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\back.jpg
| MD5 | 668884fb8d4f5e33e7940a8cfb6ea853 |
| SHA1 | a92d4446f84c9a09af2f12cf2e6c1cb9abc8f1bc |
| SHA256 | bef03bd75cfd3e7a9eda6e48acfd61a43f70d77a61c392ad0690d1b769e0d369 |
| SHA512 | a08d0a0e94dc7e7f4859bd6dbe1544ae984ddf477bf77a60ab9417c1f6ddb7051ceaa0594faa4bfdf69e90a5cb2a75d023440ba1fb9d9688c47efb9bf3962fd9 |
memory/2172-1332-0x0000000000400000-0x00000000009FD000-memory.dmp
memory/2172-1334-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 12:50
Reported
2024-05-10 12:53
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
99s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\PAPYRUS.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\WINGDNG2.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\msgothic.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\msjhl.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\MTEXTRA.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\mvboli.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\palabi.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\mingliub.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\segoesc.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\ARIALNB.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\courbd.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\gadugib.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\GOTHICB.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\micross.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\Gabriola.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\msyh.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\verdanai.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\ARIALNBI.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\Candara.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\Candarab.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\Candaraz.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\couri.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\YuGothL.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\consola.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\constani.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\corbelli.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\courbi.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\DUBAI-MEDIUM.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\segoescb.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\WINGDNG3.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\ariblk.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\Candaral.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\georgiai.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\LEELAWAD.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\malgunbd.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\ARIALN.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\calibriz.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\georgiaz.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\GOTHIC.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\seguihis.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\seguisbi.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\trebucbi.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\calibrii.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\DUBAI-BOLD.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\gadugi.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\GARA.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\pala.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\verdanab.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\seguisym.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\trebucit.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\BKANT.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\BSSYM7.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\comic.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\consolaz.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\seguisli.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\YuGothM.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\calibrib.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\constanz.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\MISTRAL.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\phagspa.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\Sitka.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\constan.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\corbell.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
| File created | C:\Windows\Fonts\LeelUIsl.fot | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1788 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1788 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1788 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1212 wrote to memory of 1584 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe |
| PID 1212 wrote to memory of 1584 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe |
| PID 1212 wrote to memory of 1584 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe
"C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c jieya.cmd
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe
cpio.exe -i
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/1788-0-0x0000000000400000-0x00000000009FD000-memory.dmp
memory/1788-1-0x00000000029F0000-0x00000000029F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\jieya.cmd
| MD5 | bf80c4e2a7662ca4790e5eb2b94deb63 |
| SHA1 | 7f4034ca5069a398b1fecc20076d20227629aa77 |
| SHA256 | af18207cb457354b44fa00be373e7a4506e34f1d777be842d75f72f769108a55 |
| SHA512 | f6dda989804faf8f5362ca55a3080a724a2ad6aa586cf820bd86ad2975e84d07fe9b56e0f41404aebf377db8770eb665a289e4884e5445ac6c567666e15275d8 |
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\msg
| MD5 | 968c337d23ea50d0f052438a6f0551ad |
| SHA1 | c9e7472dd013cb5b059566bd8c49a0459dbd977a |
| SHA256 | 44e48f412fc1b7bb31786f3680cddbf98f5b22603bfb4a32918ba83f21db28b8 |
| SHA512 | a770b3d3b3cf724aa3f3bb59b0f8c7cf19dfed8d05fc1089733fe1626ec69c931e0849d96097437625a3965278c8c60a2421ce860348c38409d8eac8ca30d983 |
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe
| MD5 | bf4826e42d3f7a0f663178d97b2bd923 |
| SHA1 | fc8db6821d8400efdcabb58a89f17413c1d0c986 |
| SHA256 | 34b18b2cdd21efbf6954fa0f9042d2967fdc22b2cbaa8a72b5a0e2cb2123b922 |
| SHA512 | 8615e8af72e0762983d623c727e94712ba237b942a24f7811c741d9feb94ed035e95d23252e3aad771578a92fe0725c044411ea49ae7c81843efdc6959b93e18 |
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\libintl3.dll
| MD5 | d202baa425176287017ffe1fb5d1b77c |
| SHA1 | 192e597d8ff0192f6c4e4643361f84277ed51121 |
| SHA256 | f48ce1866602b114e653c876334b771107559acf1c685373d2305034613958f0 |
| SHA512 | 706d74c56ce8d08539c729bdb6c8d57c9a4b0a1c795b8574a1bb2c452358e1bfd5d4fca5a00ab7568dea4ae02c553ce6ab199b3c6418a44cb8915f7e26bd2988 |
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\libiconv2.dll
| MD5 | b6a9e9e63a6cbfc6a593493c943938cb |
| SHA1 | 8145e25be5d15ef3105073265ee05f04d836cd82 |
| SHA256 | 72d73c3238e92208269b9d401b4598987116ea4fcafd91e249b3b9b558d022ff |
| SHA512 | 7a7f49811a1e0cbe0060a7334898ca6cfb9cc63f3c76af64445d178d46fad18db6fad024a84f284a2ee2170aa2d38fd79d925d1cc25592a77eeee9aec15567e5 |
memory/1584-48-0x0000000068080000-0x0000000068174000-memory.dmp
memory/1584-47-0x0000000060E40000-0x0000000060E5D000-memory.dmp
memory/1584-46-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\16x16.fnt
| MD5 | 8f64119f1795aef752fa9456946159e7 |
| SHA1 | eac57164e63db3838c79362fe7f548f166048e2d |
| SHA256 | 89fa6c39de2e6b79c1a182e7f87529a6583a05fd032bbb46f85070f6ce19afde |
| SHA512 | bdb1f07c9d2a9fcafde463095386a53ccdfdaf05fb8166e7628be8f569aa57b686c314edac231714678749d3ffaf18982ec437c6f36492bf92629f3ffc259d7c |
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\back.jpg
| MD5 | 668884fb8d4f5e33e7940a8cfb6ea853 |
| SHA1 | a92d4446f84c9a09af2f12cf2e6c1cb9abc8f1bc |
| SHA256 | bef03bd75cfd3e7a9eda6e48acfd61a43f70d77a61c392ad0690d1b769e0d369 |
| SHA512 | a08d0a0e94dc7e7f4859bd6dbe1544ae984ddf477bf77a60ab9417c1f6ddb7051ceaa0594faa4bfdf69e90a5cb2a75d023440ba1fb9d9688c47efb9bf3962fd9 |
C:\Users\Admin\AppData\Local\Temp\MsgMTemp\gfxboot.cfg
| MD5 | f4b957cf633b256498cf476be34a6fa0 |
| SHA1 | 7fa4bf5d3267216974b063ea9306ce6da730adc8 |
| SHA256 | 95a408d57193b1ff25726060c7a1c1bdb0e5fbbbbd43a53d9460a2215d261532 |
| SHA512 | 9885f2d6161b0f395bfad1fe66ce493956a599120395c09207574ac1cd599b3dfbd2a1087169cc4c237e28ddd1fdbcb035b5a04c85c47290523fed2a88b4fe2a |
memory/1788-621-0x0000000000400000-0x00000000009FD000-memory.dmp
memory/1788-623-0x00000000029F0000-0x00000000029F1000-memory.dmp