4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d

General

Target

4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe
Size

1.2MB
MD5

082edd9de95d89234c4ce966cb8ef0c2
SHA1

5339fd0536ff85f1178fcd8950fd2276abdc9f58
SHA256

4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d
SHA512

0bfba822048216930bc18df3f2b884d57792cf2363187872bc907188a389823262f425930fc54392cba49bdc001357d2171d1d67cce9dbf409b94ecbda2d83b5
SSDEEP

24576:LAHnh+eWsN3skA4RV1Hom2KXMmHaMB9RIG2Sedjj9TNrTIxpn6VLbs5:mh+ZkldoPK8YaMj2Zjj9JrTip/

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 2348	1636	4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe	28
PID 2348 set thread context of 1208	2348	svchost.exe	21
PID 2348 set thread context of 2084	2348	svchost.exe	29
PID 2084 set thread context of 1208	2084	RMActivate_ssp.exe	21

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2348	svchost.exe
2348	svchost.exe
2348	svchost.exe
2348	svchost.exe
2348	svchost.exe
2348	svchost.exe
2348	svchost.exe
2348	svchost.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1636	4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe
2348	svchost.exe
1208	Explorer.EXE
1208	Explorer.EXE
2084	RMActivate_ssp.exe
2084	RMActivate_ssp.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1636	4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe
1636	4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1636	4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe
1636	4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2348	1636	4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe	28
PID 1636 wrote to memory of 2348	1636	4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe	28
PID 1636 wrote to memory of 2348	1636	4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe	28
PID 1636 wrote to memory of 2348	1636	4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe	28
PID 1636 wrote to memory of 2348	1636	4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe	28
PID 1208 wrote to memory of 2084	1208	Explorer.EXE	29
PID 1208 wrote to memory of 2084	1208	Explorer.EXE	29
PID 1208 wrote to memory of 2084	1208	Explorer.EXE	29
PID 1208 wrote to memory of 2084	1208	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe
  "C:\Users\Admin\AppData\Local\Temp\4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\4b0097a52abd8d9ba97a33d29154f929af53f2e33d7d5fcfee7e6f48b4f37d1d.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2348
- C:\Windows\SysWOW64\RMActivate_ssp.exe
  "C:\Windows\SysWOW64\RMActivate_ssp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\obtenebrate

Filesize
264KB

MD5
05476c0f1ed922162a95f535149af08e

SHA1
61201270401ecb086a9b06b360a945d0add7673b

SHA256
eab6f186c0144c36824663e2974355254073119cd253ec623ec050c08bb2b8f7

SHA512
227bb36b5523d520c0bbab82b241517905325ee391acaa4b7e59af02a7209c729a315b658a216ab1afadedb5a4629a0b3e5f4f0d693f6b0127cba0e9cb9a0913

Download Submit
memory/1208-19-0x0000000008FD0000-0x000000000B1F6000-memory.dmp

Filesize
34.1MB

Download
memory/1208-30-0x0000000005010000-0x00000000050E3000-memory.dmp

Filesize
844KB

Download
memory/1208-28-0x0000000008FD0000-0x000000000B1F6000-memory.dmp

Filesize
34.1MB

Download
memory/1208-27-0x0000000005010000-0x00000000050E3000-memory.dmp

Filesize
844KB

Download
memory/1208-26-0x0000000005010000-0x00000000050E3000-memory.dmp

Filesize
844KB

Download
memory/1208-16-0x0000000003BC0000-0x0000000003CC0000-memory.dmp

Filesize
1024KB

Download
memory/1636-11-0x0000000000560000-0x0000000000564000-memory.dmp

Filesize
16KB

Download
memory/2084-25-0x0000000001E00000-0x0000000001E9C000-memory.dmp

Filesize
624KB

Download
memory/2084-20-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2084-21-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2084-23-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Filesize
3.0MB

Download
memory/2084-24-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2084-29-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2348-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-18-0x00000000001B0000-0x00000000001CD000-memory.dmp

Filesize
116KB

Download
memory/2348-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-13-0x0000000000720000-0x0000000000A23000-memory.dmp

Filesize
3.0MB

Download
memory/2348-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing