0144a1460596b19ab4e667f76fdac6cacad536d11091d047d7f980ba90cf1829

General

Target

0144a1460596b19ab4e667f76fdac6cacad536d11091d047d7f980ba90cf1829.exe
Size

906KB
MD5

3f5aba024213bd15cb35f8e9bdce1916
SHA1

81d1a0fd4ca6c2eb146f7bb36024395018e59ad9
SHA256

0144a1460596b19ab4e667f76fdac6cacad536d11091d047d7f980ba90cf1829
SHA512

97e09c0ac0ea17641e745c41a3d2761f94218c3d8b2311b44179e50ff69c028d9fb08d91ac6e652aba3bee80af0a2a9ef2e52da154cb293f0eab50968ac0959d
SSDEEP

12288:xgfe07KFML7iLMucoUe7dG1lFlWcYT70pxnnaaoaw/7ueuRAHrZNrI0AilFEvxHG:WtY4MROxnFX9ErZlI0AilFEvxHijAc

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	0144a1460596b19ab4e667f76fdac6cacad536d11091d047d7f980ba90cf1829.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0144a1460596b19ab4e667f76fdac6cacad536d11091d047d7f980ba90cf1829.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	0144a1460596b19ab4e667f76fdac6cacad536d11091d047d7f980ba90cf1829.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0144a1460596b19ab4e667f76fdac6cacad536d11091d047d7f980ba90cf1829.exe
File opened for modification	C:\Windows\assembly	0144a1460596b19ab4e667f76fdac6cacad536d11091d047d7f980ba90cf1829.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4808	4744	0144a1460596b19ab4e667f76fdac6cacad536d11091d047d7f980ba90cf1829.exe	88
PID 4744 wrote to memory of 4808	4744	0144a1460596b19ab4e667f76fdac6cacad536d11091d047d7f980ba90cf1829.exe	88
PID 4808 wrote to memory of 2052	4808	csc.exe	90
PID 4808 wrote to memory of 2052	4808	csc.exe	90

C:\Users\Admin\AppData\Local\Temp\0144a1460596b19ab4e667f76fdac6cacad536d11091d047d7f980ba90cf1829.exe
"C:\Users\Admin\AppData\Local\Temp\0144a1460596b19ab4e667f76fdac6cacad536d11091d047d7f980ba90cf1829.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tkfchpj0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES920F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC920E.tmp"
    3⤵
    PID:2052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES920F.tmp

Filesize
1KB

MD5
bf81db399ac6a81173087d96ae2e58cb

SHA1
010ab40b9ec28fb3b88bdfb6c15da42229ffeb0b

SHA256
3693e55d5c6b84acac516a3b82504f8b6e8f66ce94eba55553629508f37cd86e

SHA512
fee6f1ebb467eb53c88bba26102a2b29ac22fa9e149d076fa0f461de64e8e1f0dd9cacf7d69812a1194da85aa9b323b455080ef044d0b5f3409c956b27ade791

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkfchpj0.dll

Filesize
76KB

MD5
991255b91d43a8c0cb002a44ba6d21bc

SHA1
a4fe946bbeb2949938534118f5fb312f03dc909c

SHA256
3ef98a091e32c87e454c0c3f753b725fcf762d81684df79cc49c0c494b92d3a7

SHA512
c4444e2ac2dcd20f29321a79feb9a46f591027f19eda1e9088fa53607390d28a1e26ef750137122783527318d711f3b67165d7eaa9031cca53de247b803628d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC920E.tmp

Filesize
676B

MD5
15045dac2ef61ae38fdc9feccde905d3

SHA1
88ab5f7e69566bd0d0004a2554983773816fd9ee

SHA256
a7114261878582d258787f1b2c53e3b80317540498f7a15fa6911c6018e224fe

SHA512
1d83ecc5610ca496a1385e09eecc2a6a18a3cc2bc266a364a5c098710da0e98374f161f2499f219edec74fc5108ef77d01a75cc9212d96f366eab5c35c4afcef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tkfchpj0.0.cs

Filesize
208KB

MD5
f4347f0b02f29d8f1312d89b88cd031a

SHA1
2972b1b99fa84302ff33cdb00b8eaa4a0be11568

SHA256
fe782de7024de452ad64dfda4d701a6b127cba9cccc6f3cbd41b7367787d67da

SHA512
6cb92e29b8c0b89bff7c95dee1b0ad58711ca48b2ace7511533818b7f2aed587da7b2cf476763e38567df6e292e345f42b4a6469efc26d551a212a6d4d7a137d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tkfchpj0.cmdline

Filesize
349B

MD5
b0b2dce3e6fc3cfb5fedc90312a84cc3

SHA1
8504b46a3ae31377219427a2b079f2cb3f7dac0a

SHA256
57bacc02472d5cc984ded622baea9837f90d42404aacda38bd6fd12544eb0be2

SHA512
acbc6bd60ba9b81ab98f382505420f124c10986e8692d820ee20c1b361a324df50e68d8a57cba4ae428add212265ec70c2e0a7e2626dcd1215ac7d2ee319aaea

Download Submit
memory/4744-7-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

Filesize
9.6MB

Download
memory/4744-25-0x000000001B480000-0x000000001B492000-memory.dmp

Filesize
72KB

Download
memory/4744-0-0x00007FF81C135000-0x00007FF81C136000-memory.dmp

Filesize
4KB

Download
memory/4744-6-0x000000001BBF0000-0x000000001C0BE000-memory.dmp

Filesize
4.8MB

Download
memory/4744-5-0x000000001B710000-0x000000001B71E000-memory.dmp

Filesize
56KB

Download
memory/4744-2-0x000000001B520000-0x000000001B57C000-memory.dmp

Filesize
368KB

Download
memory/4744-30-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

Filesize
9.6MB

Download
memory/4744-29-0x00007FF81C135000-0x00007FF81C136000-memory.dmp

Filesize
4KB

Download
memory/4744-23-0x000000001C820000-0x000000001C836000-memory.dmp

Filesize
88KB

Download
memory/4744-1-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

Filesize
9.6MB

Download
memory/4744-8-0x000000001C160000-0x000000001C1FC000-memory.dmp

Filesize
624KB

Download
memory/4744-26-0x000000001B3F0000-0x000000001B3F8000-memory.dmp

Filesize
32KB

Download
memory/4744-27-0x000000001B3E0000-0x000000001B3E8000-memory.dmp

Filesize
32KB

Download
memory/4744-28-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

Filesize
9.6MB

Download
memory/4808-21-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

Filesize
9.6MB

Download
memory/4808-20-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads