b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd

General

Target

b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe
Size

184KB
MD5

c0620a38fb60191b215705cea3734f30
SHA1

298a6476500a9c975ad1b9b976a56abd075425d5
SHA256

b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd
SHA512

563d4ca79d9c4d68e562fda7858cce27568ba34917fe2128c9014b261dbe0d6fbe70ebe232ccfeebef0a9f60de0fbdd1ef912cca823732fb3b0f01612ebb6df2
SSDEEP

3072:8JOPLxo67+OVjWAWeuwpMnV28lnViFanY:8JwoEtWAZp6V28lnViFa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

Unicorn-62552.exeUnicorn-51852.exeUnicorn-46344.exeUnicorn-25281.exeUnicorn-60652.exeUnicorn-7012.exeUnicorn-28051.exeUnicorn-32486.exeUnicorn-3254.exeUnicorn-65133.exe

pid	process
2168	Unicorn-62552.exe
2700	Unicorn-51852.exe
2532	Unicorn-46344.exe
2512	Unicorn-25281.exe
2860	Unicorn-60652.exe
2724	Unicorn-7012.exe
788	Unicorn-28051.exe
752	Unicorn-32486.exe
2248	Unicorn-3254.exe
2908	Unicorn-65133.exe

Loads dropped DLL 64 IoCs

Processes:

b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exeUnicorn-62552.exeWerFault.exeUnicorn-51852.exeWerFault.exeUnicorn-46344.exeWerFault.exeUnicorn-25281.exeWerFault.exeUnicorn-60652.exeWerFault.exeUnicorn-7012.exeWerFault.exeUnicorn-28051.exeWerFault.exeUnicorn-32486.exeWerFault.exeUnicorn-3254.exeWerFault.exe

pid	process
616	b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe
616	b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe
2168	Unicorn-62552.exe
2168	Unicorn-62552.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2700	Unicorn-51852.exe
2700	Unicorn-51852.exe
1148	WerFault.exe
1148	WerFault.exe
1148	WerFault.exe
1148	WerFault.exe
1148	WerFault.exe
2532	Unicorn-46344.exe
2532	Unicorn-46344.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2512	Unicorn-25281.exe
2512	Unicorn-25281.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2860	Unicorn-60652.exe
2860	Unicorn-60652.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
2724	Unicorn-7012.exe
2724	Unicorn-7012.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
788	Unicorn-28051.exe
788	Unicorn-28051.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
752	Unicorn-32486.exe
752	Unicorn-32486.exe
2456	WerFault.exe
2456	WerFault.exe
2456	WerFault.exe
2456	WerFault.exe
2456	WerFault.exe
2248	Unicorn-3254.exe
2248	Unicorn-3254.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1272	616	WerFault.exe	b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe
2624	2168	WerFault.exe	Unicorn-62552.exe
1148	2700	WerFault.exe	Unicorn-51852.exe
2972	2532	WerFault.exe	Unicorn-46344.exe
2304	2512	WerFault.exe	Unicorn-25281.exe
1996	2860	WerFault.exe	Unicorn-60652.exe
2820	2724	WerFault.exe	Unicorn-7012.exe
568	788	WerFault.exe	Unicorn-28051.exe
2456	752	WerFault.exe	Unicorn-32486.exe
2260	2908	WerFault.exe	Unicorn-65133.exe
1096	2248	WerFault.exe	Unicorn-3254.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exeUnicorn-62552.exeUnicorn-51852.exeUnicorn-46344.exeUnicorn-25281.exeUnicorn-60652.exeUnicorn-7012.exeUnicorn-28051.exeUnicorn-32486.exeUnicorn-3254.exeUnicorn-65133.exe

pid	process
616	b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe
2168	Unicorn-62552.exe
2700	Unicorn-51852.exe
2532	Unicorn-46344.exe
2512	Unicorn-25281.exe
2860	Unicorn-60652.exe
2724	Unicorn-7012.exe
788	Unicorn-28051.exe
752	Unicorn-32486.exe
2248	Unicorn-3254.exe
2908	Unicorn-65133.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exeUnicorn-62552.exeUnicorn-51852.exeUnicorn-46344.exeUnicorn-25281.exeUnicorn-60652.exeUnicorn-7012.exeUnicorn-28051.exe

description	pid	process	target process
PID 616 wrote to memory of 2168	616	b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe	Unicorn-62552.exe
PID 616 wrote to memory of 2168	616	b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe	Unicorn-62552.exe
PID 616 wrote to memory of 2168	616	b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe	Unicorn-62552.exe
PID 616 wrote to memory of 2168	616	b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe	Unicorn-62552.exe
PID 616 wrote to memory of 1272	616	b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe	WerFault.exe
PID 616 wrote to memory of 1272	616	b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe	WerFault.exe
PID 616 wrote to memory of 1272	616	b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe	WerFault.exe
PID 616 wrote to memory of 1272	616	b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe	WerFault.exe
PID 2168 wrote to memory of 2700	2168	Unicorn-62552.exe	Unicorn-51852.exe
PID 2168 wrote to memory of 2700	2168	Unicorn-62552.exe	Unicorn-51852.exe
PID 2168 wrote to memory of 2700	2168	Unicorn-62552.exe	Unicorn-51852.exe
PID 2168 wrote to memory of 2700	2168	Unicorn-62552.exe	Unicorn-51852.exe
PID 2168 wrote to memory of 2624	2168	Unicorn-62552.exe	WerFault.exe
PID 2168 wrote to memory of 2624	2168	Unicorn-62552.exe	WerFault.exe
PID 2168 wrote to memory of 2624	2168	Unicorn-62552.exe	WerFault.exe
PID 2168 wrote to memory of 2624	2168	Unicorn-62552.exe	WerFault.exe
PID 2700 wrote to memory of 2532	2700	Unicorn-51852.exe	Unicorn-46344.exe
PID 2700 wrote to memory of 2532	2700	Unicorn-51852.exe	Unicorn-46344.exe
PID 2700 wrote to memory of 2532	2700	Unicorn-51852.exe	Unicorn-46344.exe
PID 2700 wrote to memory of 2532	2700	Unicorn-51852.exe	Unicorn-46344.exe
PID 2700 wrote to memory of 1148	2700	Unicorn-51852.exe	WerFault.exe
PID 2700 wrote to memory of 1148	2700	Unicorn-51852.exe	WerFault.exe
PID 2700 wrote to memory of 1148	2700	Unicorn-51852.exe	WerFault.exe
PID 2700 wrote to memory of 1148	2700	Unicorn-51852.exe	WerFault.exe
PID 2532 wrote to memory of 2512	2532	Unicorn-46344.exe	Unicorn-25281.exe
PID 2532 wrote to memory of 2512	2532	Unicorn-46344.exe	Unicorn-25281.exe
PID 2532 wrote to memory of 2512	2532	Unicorn-46344.exe	Unicorn-25281.exe
PID 2532 wrote to memory of 2512	2532	Unicorn-46344.exe	Unicorn-25281.exe
PID 2532 wrote to memory of 2972	2532	Unicorn-46344.exe	WerFault.exe
PID 2532 wrote to memory of 2972	2532	Unicorn-46344.exe	WerFault.exe
PID 2532 wrote to memory of 2972	2532	Unicorn-46344.exe	WerFault.exe
PID 2532 wrote to memory of 2972	2532	Unicorn-46344.exe	WerFault.exe
PID 2512 wrote to memory of 2860	2512	Unicorn-25281.exe	Unicorn-60652.exe
PID 2512 wrote to memory of 2860	2512	Unicorn-25281.exe	Unicorn-60652.exe
PID 2512 wrote to memory of 2860	2512	Unicorn-25281.exe	Unicorn-60652.exe
PID 2512 wrote to memory of 2860	2512	Unicorn-25281.exe	Unicorn-60652.exe
PID 2512 wrote to memory of 2304	2512	Unicorn-25281.exe	WerFault.exe
PID 2512 wrote to memory of 2304	2512	Unicorn-25281.exe	WerFault.exe
PID 2512 wrote to memory of 2304	2512	Unicorn-25281.exe	WerFault.exe
PID 2512 wrote to memory of 2304	2512	Unicorn-25281.exe	WerFault.exe
PID 2860 wrote to memory of 2724	2860	Unicorn-60652.exe	Unicorn-7012.exe
PID 2860 wrote to memory of 2724	2860	Unicorn-60652.exe	Unicorn-7012.exe
PID 2860 wrote to memory of 2724	2860	Unicorn-60652.exe	Unicorn-7012.exe
PID 2860 wrote to memory of 2724	2860	Unicorn-60652.exe	Unicorn-7012.exe
PID 2860 wrote to memory of 1996	2860	Unicorn-60652.exe	WerFault.exe
PID 2860 wrote to memory of 1996	2860	Unicorn-60652.exe	WerFault.exe
PID 2860 wrote to memory of 1996	2860	Unicorn-60652.exe	WerFault.exe
PID 2860 wrote to memory of 1996	2860	Unicorn-60652.exe	WerFault.exe
PID 2724 wrote to memory of 788	2724	Unicorn-7012.exe	Unicorn-28051.exe
PID 2724 wrote to memory of 788	2724	Unicorn-7012.exe	Unicorn-28051.exe
PID 2724 wrote to memory of 788	2724	Unicorn-7012.exe	Unicorn-28051.exe
PID 2724 wrote to memory of 788	2724	Unicorn-7012.exe	Unicorn-28051.exe
PID 2724 wrote to memory of 2820	2724	Unicorn-7012.exe	WerFault.exe
PID 2724 wrote to memory of 2820	2724	Unicorn-7012.exe	WerFault.exe
PID 2724 wrote to memory of 2820	2724	Unicorn-7012.exe	WerFault.exe
PID 2724 wrote to memory of 2820	2724	Unicorn-7012.exe	WerFault.exe
PID 788 wrote to memory of 752	788	Unicorn-28051.exe	Unicorn-32486.exe
PID 788 wrote to memory of 752	788	Unicorn-28051.exe	Unicorn-32486.exe
PID 788 wrote to memory of 752	788	Unicorn-28051.exe	Unicorn-32486.exe
PID 788 wrote to memory of 752	788	Unicorn-28051.exe	Unicorn-32486.exe
PID 788 wrote to memory of 568	788	Unicorn-28051.exe	WerFault.exe
PID 788 wrote to memory of 568	788	Unicorn-28051.exe	WerFault.exe
PID 788 wrote to memory of 568	788	Unicorn-28051.exe	WerFault.exe
PID 788 wrote to memory of 568	788	Unicorn-28051.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe
"C:\Users\Admin\AppData\Local\Temp\b6ac0acbc05f6cbc03f49c247464ade498c684cd08409fa6b7bcebfda18851dd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:616

C:\Users\Admin\AppData\Local\Temp\Unicorn-62552.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-62552.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\Unicorn-51852.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-51852.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\Unicorn-46344.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-46344.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\Unicorn-25281.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-25281.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\Unicorn-60652.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-60652.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\Unicorn-7012.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-7012.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\Unicorn-28051.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-28051.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\Unicorn-32486.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-32486.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:752

C:\Users\Admin\AppData\Local\Temp\Unicorn-3254.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-3254.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Users\Admin\AppData\Local\Temp\Unicorn-65133.exe
C:\Users\Admin\AppData\Local\Temp\Unicorn-65133.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 200
12⤵
- Loads dropped DLL
- Program crash
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 236
11⤵
- Program crash
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 236
10⤵
- Loads dropped DLL
- Program crash
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 236
9⤵
- Loads dropped DLL
- Program crash
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 236
8⤵
- Loads dropped DLL
- Program crash
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 236
7⤵
- Loads dropped DLL
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 236
6⤵
- Loads dropped DLL
- Program crash
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 236
5⤵
- Loads dropped DLL
- Program crash
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 236
4⤵
- Loads dropped DLL
- Program crash
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 236
3⤵
- Loads dropped DLL
- Program crash
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 236
2⤵
- Program crash
PID:1272

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-25281.exe
Filesize
184KB

MD5
9172145493fbd5dca846b45150a51047

SHA1
98e8633c7614390ae4abaf657e4530b8712ac905

SHA256
bff93117710a59a9fd9b25bc06e0d40a36a2aa4a40a4906dec8f3881e940cfa9

SHA512
3af917bb9b53c554d0ca4f28e1f52ea26b88ea4b3aeff49a82a6e86e946370adbb685ad82e2f7d74b898b155fda1656e2e95d221c9760860de6d2a8d86b54512

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-28051.exe
Filesize
184KB

MD5
c8b9cc2eaad7c93a88467c56fbc64b8d

SHA1
6dc95af0cf18e46dc219d2154293b78b58ec6c3c

SHA256
c7c42af30041ca9834940c68204fb93d3be77a6aadeea48c5b4104e4d5745123

SHA512
4a976aaee0eeebf6e1dc7dd015becbd062f0e3a39396a814109cdc0c778465f2c6b513de8b91fc496ba0578fcc974d58efeb47d1a559d1b3a5dcaf19ed8e86bd

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-32486.exe
Filesize
184KB

MD5
c47b93b713e067e1e8cd0576bdefcb83

SHA1
3491ec85dbce7b43b627b2d05acb1af7adcf01a0

SHA256
3e0997f6381a7c48c3e65b74364e2e9e19e15a1e3923b0a37d4bb2a33261c555

SHA512
8ef85d75aeecfc4bfe1f61fc95956c99d93d8e77a2524e286cc6a322062d79926282f3baac487f01e009dbbdba6ff9e33c465db463fb331f3b748802603f9980

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-46344.exe
Filesize
184KB

MD5
c1e1c237ed1cfe0137f8f92c2bad005d

SHA1
9ccf2ac413068bbf3ad0c17827aca3415ea9823d

SHA256
f6eb43c38df01bed42a561341682594f71ee9e96b631880c47a9d9d3bcc6fcfc

SHA512
e49cf460d09cb608f1b518bc23a627c71511e42ca36aac160a05eb0c8a10209460e70eefeb86a8a23ab717c30a89a2da16077ebd5f4db46b51624aa45d0ed98e

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-51852.exe
Filesize
184KB

MD5
fdd9d0e0dba54c514fef5e3636e61489

SHA1
ba4e7df09aef21494350709692ef8f4352927f88

SHA256
7152cd4d0d54794b11d1eddd0f21942c3c2066ce5c0278d14ef7fcaa47a6d23f

SHA512
1dafc638cf9b9ddac0c25aaa8bcd8fb05f32d730697f7f059daf04b8d894a5d8460c1f7ceda0f4bd2443564c3ebfa2d1bdd7290ac0053b4ed871a57b23247b74

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-60652.exe
Filesize
184KB

MD5
e895b7e5093d02d4e6a31f99427a8497

SHA1
401f83a81df14b986b193fd20b9ee7e1c4745c68

SHA256
9b100cf3c5ea265c03c64224f84c7b396d0efce7140b966d18b09c8bce35a3d3

SHA512
859f15b2db0fe758dd555cdea64667f5a171f3a92ea511e18038c23377d566baefbec22ba0aba75735d476cbc69c37949af586cc5b6b59ba4c1b7fc3b133fd18

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-62552.exe
Filesize
184KB

MD5
c8137f262f292273b6286cde5a564844

SHA1
ccf7cdd8f1a34f573f77945e8b9a0282638823ce

SHA256
fd16ed694389cadcea8b60f6af671a0fd6134ee1e711a0e99e00906c142df07e

SHA512
f2cbe49f1c46e23642f320b82110e9678ff01bcfb7897b52082d89d54ba33439abd98c716e8e2a7e3cb1e2be6facab2a4e680ba464f55b73c51083008717e334

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-7012.exe
Filesize
184KB

MD5
00a2ed6c556f8a9b915c38fd3fbf4b6f

SHA1
285405ea5c458c1b96b7422676a9487fd5dc189f

SHA256
62e36efb6e43c01c37564ff95f5f7a2aa3b6061865c90dc86a6bf8be8acb59ad

SHA512
ba1d3f5efe9533006d2b0d856036f74f6d8d04a91fb796822bc2b5b1db0748a6498ca90f21d438a707249f6267eceb907a266946c6117cc357ffe79386b235c1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads