a00261d08d7baf7f83c01d87d670833a4ad5275b634dc046e0f109eaa7bce7f1

General

Target

IMG______6122024.exe
Size

1.2MB
MD5

7754fb5516eea45c40fc3b3f29e55cca
SHA1

00b7053d8554616b35d482fc98c43c6cb22e2328
SHA256

a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540
SHA512

88a1eda10932186fceeb7ac698d1987619c471ec74b052faf6db9e9259dcce06aa8fda52d212f1ffc6780172c63ecfe69dcabb5188e02c225330c7817b15b72c
SSDEEP

24576:bAHnh+eWsN3skA4RV1Hom2KXMmHahExzVA/bE3ERmxSvXwUYWrV5:2h+ZkldoPK8YahazVOb4AXwU/z

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	name.exe

Loads dropped DLL 1 IoCs

pid	Process
2372	IMG______6122024.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2372-11-0x0000000000330000-0x0000000000463000-memory.dmp	autoit_exe
behavioral1/files/0x0008000000015d97-13.dat	autoit_exe
behavioral1/memory/2372-17-0x0000000000330000-0x0000000000463000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 2932	2448	name.exe	29
PID 2932 set thread context of 1204	2932	svchost.exe	21
PID 2932 set thread context of 2224	2932	svchost.exe	30
PID 2224 set thread context of 1204	2224	sethc.exe	21

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe
2224	sethc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2448	name.exe
2932	svchost.exe
1204	Explorer.EXE
1204	Explorer.EXE
2224	sethc.exe
2224	sethc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2372	IMG______6122024.exe
2372	IMG______6122024.exe
2448	name.exe
2448	name.exe
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2372	IMG______6122024.exe
2372	IMG______6122024.exe
2448	name.exe
2448	name.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2448	2372	IMG______6122024.exe	28
PID 2372 wrote to memory of 2448	2372	IMG______6122024.exe	28
PID 2372 wrote to memory of 2448	2372	IMG______6122024.exe	28
PID 2372 wrote to memory of 2448	2372	IMG______6122024.exe	28
PID 2448 wrote to memory of 2932	2448	name.exe	29
PID 2448 wrote to memory of 2932	2448	name.exe	29
PID 2448 wrote to memory of 2932	2448	name.exe	29
PID 2448 wrote to memory of 2932	2448	name.exe	29
PID 2448 wrote to memory of 2932	2448	name.exe	29
PID 1204 wrote to memory of 2224	1204	Explorer.EXE	30
PID 1204 wrote to memory of 2224	1204	Explorer.EXE	30
PID 1204 wrote to memory of 2224	1204	Explorer.EXE	30
PID 1204 wrote to memory of 2224	1204	Explorer.EXE	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\IMG______6122024.exe
  "C:\Users\Admin\AppData\Local\Temp\IMG______6122024.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG______6122024.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\IMG______6122024.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2932
- C:\Windows\SysWOW64\sethc.exe
  "C:\Windows\SysWOW64\sethc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Idonna

Filesize
265KB

MD5
1d7fa7c2aa0729662e056393d57cf3b2

SHA1
ef410b0a4c3e9cbaaacd822f71aa60408a5c3f66

SHA256
fdbd3343b512ed2ee6fc17a3ff6df37cac425408ef3e4e6b0dd3b70b6a79a774

SHA512
08101219d435aefa9c701f6f20c51275200760db9565dbd1f19cc98e8f409ea90ba439c2833469b70355b55c3e3f09cf7b681cf6a2f67b8494811512fc20f7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Idonna

Filesize
265KB

MD5
e3076f64582a5b800e333ac8fe8debc5

SHA1
86819a57c25e258a4f64c1f942aad91ffd6ab0b8

SHA256
fc99d6a9f2d90d1e805b880bf0f326e82700f230f73b27a37720466fa2d178aa

SHA512
cf86f7975564db9db010d3bedc307c2b7950b1f04e96d7ee433b5ebc4028bb29eb93ffad5e1da50fdf44d29ce2813f7af8765a0ec20e9516f7a9da757d4e3825

Download Submit
\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.2MB

MD5
7754fb5516eea45c40fc3b3f29e55cca

SHA1
00b7053d8554616b35d482fc98c43c6cb22e2328

SHA256
a5687583ab164c93400b8c1a4c4e500dbc800559cb0294558852bce1cb62e540

SHA512
88a1eda10932186fceeb7ac698d1987619c471ec74b052faf6db9e9259dcce06aa8fda52d212f1ffc6780172c63ecfe69dcabb5188e02c225330c7817b15b72c

Download Submit
memory/1204-38-0x0000000003B30000-0x0000000003C30000-memory.dmp

Filesize
1024KB

Download
memory/1204-49-0x0000000008F60000-0x000000000A6A8000-memory.dmp

Filesize
23.3MB

Download
memory/1204-48-0x0000000004E90000-0x0000000004F97000-memory.dmp

Filesize
1.0MB

Download
memory/1204-41-0x0000000008F60000-0x000000000A6A8000-memory.dmp

Filesize
23.3MB

Download
memory/2224-42-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/2224-43-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/2224-50-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/2224-46-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/2224-45-0x0000000001FE0000-0x00000000022E3000-memory.dmp

Filesize
3.0MB

Download
memory/2372-11-0x0000000000330000-0x0000000000463000-memory.dmp

Filesize
1.2MB

Download
memory/2372-17-0x0000000000330000-0x0000000000463000-memory.dmp

Filesize
1.2MB

Download
memory/2448-32-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download
memory/2932-34-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-40-0x0000000000160000-0x0000000000183000-memory.dmp

Filesize
140KB

Download
memory/2932-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-35-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/2932-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing