00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc

General

Target

00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc.exe
Size

903KB
MD5

116d64ce8637c2629a656adde7dbba74
SHA1

6e54670587c28256de0a8cd19ebd9aef14a5411c
SHA256

00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc
SHA512

6e0fbb00a8b2230833d7a257b9ddbfd1c275aa5645d1b98bb07de90bdef5ef7a91fe23faeb19fc4b66e996479a01e52d1db16717708ba6c1551a2d830332efd7
SSDEEP

12288:cGd4qIuUY0lW/+0d7dG1lFlWcYT70pxnnaaoawiRVcTqSA+9rZNrI0AilFEvxHvq:Aqd4MROxnFrLqrZlI0AilFEvxHiLse

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc.exe
File created	C:\Windows\assembly\Desktop.ini	00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2572	00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2572	00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1632	2572	00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc.exe	85
PID 2572 wrote to memory of 1632	2572	00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc.exe	85
PID 1632 wrote to memory of 2776	1632	csc.exe	87
PID 1632 wrote to memory of 2776	1632	csc.exe	87

C:\Users\Admin\AppData\Local\Temp\00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc.exe
"C:\Users\Admin\AppData\Local\Temp\00cc9b661f1ee722cc0f4e763d3a58c74aec1d19ea076df8b67d53db543b04bc.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mx-erwxy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A6A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A69.tmp"
    3⤵
    PID:2776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3A6A.tmp

Filesize
1KB

MD5
bbf0d0ba40e5fa385b1ae8b52c1ea942

SHA1
c38842d1fa3ca4d2e011a92969c44ed43f378d02

SHA256
6462e067a165b7abfc735a93402bc26597fc2a96f921c09cc5d1e99972133b6d

SHA512
7a682d9f282864a202d3945809f6a6f3496c326a7af131db2b060158f4d25a92d0fb97a7612766f16fc102881a9d17012cc29509cf52a2e00456ba1440055ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mx-erwxy.dll

Filesize
76KB

MD5
5ec2b57c15c895d64702392699ef1bd3

SHA1
ee62bf9d310c256cf57b0b3d7a37f52fb362ef7a

SHA256
c0516bcb151c7a2e24ab941f2f92b571249a53d6ee629a5fe9dbdad0def2844f

SHA512
658744d030c78f34873883b53eca169bb42ee4b0b3526da22dce90a6447c5632e8e1662aac00cb52a02eb87916a1f619d4d1403de52cd4b0dd9dbf9fef16e600

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3A69.tmp

Filesize
676B

MD5
144625046000b55b9e2fbac5f12e5993

SHA1
aa17d6c8e0fc6bae5ab7605c8b7ede23e3377a42

SHA256
8549496ee283152ee87bd0b6e390d33bae8c0a57d8648e39667583f0fbfe5cbe

SHA512
ecc556865d07ce84140efd6f2ba439eab978a99fb9e2f63c19b8cc021ed9dec3535f493623193909e3a42ed74482de85ffec1038794e1e6951f467216f008e12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mx-erwxy.0.cs

Filesize
208KB

MD5
9fd68756cff5d5660671a8ea5628d198

SHA1
8d5f440ef7732d75c58fef7b28e43ec2bf35bcc1

SHA256
b3bc164c14266bfd880007be5353d79a1b90a6cc3c3fdcfddc6e018330a2561f

SHA512
a41eaea460962db519bc898d88b77690433df2cec34d879275bff90a950a597d61dc81212357bf2d4e41faa487200f9aea29e56804813dc82dc8c1640504ab08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mx-erwxy.cmdline

Filesize
349B

MD5
0e485edfaaaeb61c1ac677dca4706392

SHA1
ed4be31d29d1a4028dc19572eb4afaeb99018029

SHA256
a10dfefeca1d678ae330f1e813db38723f0f9f3e02fd18ea516708fa0ae7422f

SHA512
72a65bce9461d0ba7f5cb655446fe32b2983dc3bd13bea43a87556b6ea77e2068ee24c696ab450b402150dc3f917ca924014dfd43a430a89c54991571a5c32a4

Download Submit
memory/1632-21-0x00007FFB8E490000-0x00007FFB8EE31000-memory.dmp

Filesize
9.6MB

Download
memory/1632-20-0x00007FFB8E490000-0x00007FFB8EE31000-memory.dmp

Filesize
9.6MB

Download
memory/2572-7-0x000000001B970000-0x000000001BE3E000-memory.dmp

Filesize
4.8MB

Download
memory/2572-23-0x000000001B470000-0x000000001B486000-memory.dmp

Filesize
88KB

Download
memory/2572-0-0x00007FFB8E745000-0x00007FFB8E746000-memory.dmp

Filesize
4KB

Download
memory/2572-6-0x00007FFB8E490000-0x00007FFB8EE31000-memory.dmp

Filesize
9.6MB

Download
memory/2572-5-0x000000001B290000-0x000000001B29E000-memory.dmp

Filesize
56KB

Download
memory/2572-2-0x000000001B1A0000-0x000000001B1FC000-memory.dmp

Filesize
368KB

Download
memory/2572-1-0x00007FFB8E490000-0x00007FFB8EE31000-memory.dmp

Filesize
9.6MB

Download
memory/2572-8-0x000000001BE40000-0x000000001BEDC000-memory.dmp

Filesize
624KB

Download
memory/2572-25-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/2572-26-0x000000001BF00000-0x000000001BF18000-memory.dmp

Filesize
96KB

Download
memory/2572-27-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/2572-28-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/2572-29-0x00007FFB8E745000-0x00007FFB8E746000-memory.dmp

Filesize
4KB

Download
memory/2572-30-0x00007FFB8E490000-0x00007FFB8EE31000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing