f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13

General

Target

f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe
Size

5.0MB
MD5

a4c8388b79175063b36531780617feb2
SHA1

c2632a879a67fdbdc81e4f80b22e36147366102a
SHA256

f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13
SHA512

313ec442deefe8ff5c56543bad8a3088e984fad6d38f7740f068108e2278f1d1afa70a19c39a09f9fce3f57aa88e2aba2f840f66481f6fda1a966c17884d2428
SSDEEP

24576:zqI4MROxnFj3rxXFHXRrZlI0AilFEvxHiHlT:zqrMi1lRhrZlI0AilFEvxHi

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe
File opened for modification	C:\Windows\assembly	f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 4528	1072	f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe	85
PID 1072 wrote to memory of 4528	1072	f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe	85
PID 4528 wrote to memory of 4852	4528	csc.exe	87
PID 4528 wrote to memory of 4852	4528	csc.exe	87

C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe
"C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnpk--8f.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4806.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4805.tmp"
    3⤵
    PID:4852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4806.tmp

Filesize
1KB

MD5
1bfacbc8629a9d2a878f7c503c9b846b

SHA1
dd26642b21601c5e265d459d666023cc315432ad

SHA256
9a1dac7a1faf2adb6dd869c4bc0545240d485515cf5a0c217ce30142ab9c9d1f

SHA512
10de2a663627ae828dc886cc700e712ef3ac8d163f892e52922b868f8b8928c6835651ef404a189e346872a54f921cd67d3eda8c296a9a1fa0d0744dfaa5bfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnpk--8f.dll

Filesize
76KB

MD5
b6435b27eb68059bf6d4fe87c86323f2

SHA1
4a5ffc5ae4924f38cb735ced6f7ee4b7e5ef56e6

SHA256
94f57547e9e3f5c31c4ae46979b4d333516b397bbfa27b3cd2a13d35046f2b99

SHA512
9bc3de9f56bef03596e5f16603adeee3b54ffb019dd00e76b33576c9299ef896dfbf937b58d6e3db97312f45acc04fef756613a0b562d2f53f66d00a2d897172

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4805.tmp

Filesize
676B

MD5
4a7afedc12eb0e6cea3d4cbf332e941c

SHA1
8aef238bcbe36fbe90dc28a11afce71406c76a0c

SHA256
c7b9dd8ee40abc6e6e8b0f2e2436a0685c7935ab4f454b16e8cf2103e1216e7f

SHA512
686c7fa98e751f212acc98789ea9be51bff4f7b9a455b663b755649b7826ed01b18b3bab2a1d8d1c239440a98dccb20c2a49df77d22215b145b192133a3c9f47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnpk--8f.0.cs

Filesize
208KB

MD5
223a99945e23894153b42c767bec3821

SHA1
f7737816dcfd5c63e320a86d3ce5c21eded105c8

SHA256
6c4795a7206b7394cbe9404e15df9b11caba0da0c06e1a494af7902d26acad50

SHA512
87cfff279961b471dc7acfcdae13cfc9c27f16f6483e9a64b207d099b3a33e71def73d4b658cc61fa69476cd4dd521deb00169d5d4b8bc1638ddfe92254881ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnpk--8f.cmdline

Filesize
349B

MD5
2dbb4781ad7b4c91547fcd1f09fb5d5b

SHA1
392461e2b530787203c3659ed2acdb998189d080

SHA256
20f0cd0bbb7f8aa11d683c2d92c6fd6d6bd5457ba9af57a2a6763f5aec079205

SHA512
5e91424202b0ab1ce2d887347c94095466f75f2d6e86b3a17b3e714ad04d11d003f58cffbf493187e6476af573423e0f6cd691990a1a18e379d1d2ed37f10cac

Download Submit
memory/1072-7-0x000000001BB80000-0x000000001C04E000-memory.dmp

Filesize
4.8MB

Download
memory/1072-28-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp

Filesize
9.6MB

Download
memory/1072-0-0x00007FFDCE1B5000-0x00007FFDCE1B6000-memory.dmp

Filesize
4KB

Download
memory/1072-6-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp

Filesize
9.6MB

Download
memory/1072-8-0x000000001C0F0000-0x000000001C18C000-memory.dmp

Filesize
624KB

Download
memory/1072-5-0x000000001B570000-0x000000001B57E000-memory.dmp

Filesize
56KB

Download
memory/1072-2-0x000000001B4A0000-0x000000001B4FC000-memory.dmp

Filesize
368KB

Download
memory/1072-29-0x00007FFDCE1B5000-0x00007FFDCE1B6000-memory.dmp

Filesize
4KB

Download
memory/1072-1-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp

Filesize
9.6MB

Download
memory/1072-23-0x000000001C780000-0x000000001C796000-memory.dmp

Filesize
88KB

Download
memory/1072-25-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/1072-26-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/1072-27-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp

Filesize
9.6MB

Download
memory/4528-16-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp

Filesize
9.6MB

Download
memory/4528-21-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads