a0696896c6b3f84b2d710b79ead538740b4ff55169a18699e96713418d8e3625

General

Target

f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe
Size

1.2MB
MD5

9555aa1cba77c0332e4bcf39ea18a930
SHA1

0679fa343ecb23b46d69f5f4f61002889e7ca0c4
SHA256

a0696896c6b3f84b2d710b79ead538740b4ff55169a18699e96713418d8e3625
SHA512

8729ccb561044645799d4ae4f412a2b096ea8934c0b3b3cbed215385fb8f9437bad6c334e70ddbbde05047ac30781dd3a8eb98f4f540404c8591d94da48d4aa7
SSDEEP

24576:xAHnh+eWsN3skA4RV1Hom2KXcmtcVaeJNFDie74NNdg9tj5:Ih+ZkldoPKsacVtDiY4Nzg9X

Score

5^/10

Malware Config

Signatures

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2296-0-0x0000000000880000-0x00000000009B0000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 2820	2296	f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe	28
PID 2820 set thread context of 1200	2820	svchost.exe	21
PID 2820 set thread context of 2740	2820	svchost.exe	29
PID 2740 set thread context of 1200	2740	setupugc.exe	21

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe
2740	setupugc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2296	f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe
2820	svchost.exe
1200	Explorer.EXE
1200	Explorer.EXE
2740	setupugc.exe
2740	setupugc.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2296	f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe
2296	f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2296	f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe
2296	f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2820	2296	f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe	28
PID 2296 wrote to memory of 2820	2296	f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe	28
PID 2296 wrote to memory of 2820	2296	f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe	28
PID 2296 wrote to memory of 2820	2296	f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe	28
PID 2296 wrote to memory of 2820	2296	f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe	28
PID 1200 wrote to memory of 2740	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2740	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2740	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2740	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2740	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2740	1200	Explorer.EXE	29
PID 1200 wrote to memory of 2740	1200	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe
  "C:\Users\Admin\AppData\Local\Temp\f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2820
- C:\Windows\SysWOW64\setupugc.exe
  "C:\Windows\SysWOW64\setupugc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zZt

Filesize
267KB

MD5
c1c78127a9ec11cc46379a5e6d35e398

SHA1
7635a64b44e9a2764024992628449c1b1acf0e62

SHA256
6b24876b6737a1347c0e46c948e14d65f69f42fe90d303353f2dc68a28b6b031

SHA512
2cdea68d9f8c6be369f3a1f3c028989ac604bd95f4b58422dbfff128d13c2832b5395cc3026b4fb0535df7d95684bc9d14e637b705827f856cc7bbc6b8f479d3

Download Submit
memory/1200-20-0x0000000008E30000-0x000000000BC40000-memory.dmp

Filesize
46.1MB

Download
memory/1200-33-0x0000000004C60000-0x0000000004D2B000-memory.dmp

Filesize
812KB

Download
memory/1200-30-0x0000000008E30000-0x000000000BC40000-memory.dmp

Filesize
46.1MB

Download
memory/1200-29-0x0000000004C60000-0x0000000004D2B000-memory.dmp

Filesize
812KB

Download
memory/1200-28-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1200-17-0x0000000003050000-0x0000000003150000-memory.dmp

Filesize
1024KB

Download
memory/2296-12-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2296-0-0x0000000000880000-0x00000000009B0000-memory.dmp

Filesize
1.2MB

Download
memory/2740-22-0x00000000000D0000-0x0000000000110000-memory.dmp

Filesize
256KB

Download
memory/2740-26-0x00000000000D0000-0x0000000000110000-memory.dmp

Filesize
256KB

Download
memory/2740-21-0x00000000000D0000-0x0000000000110000-memory.dmp

Filesize
256KB

Download
memory/2740-32-0x00000000008F0000-0x000000000098F000-memory.dmp

Filesize
636KB

Download
memory/2740-31-0x00000000000D0000-0x0000000000110000-memory.dmp

Filesize
256KB

Download
memory/2740-27-0x00000000008F0000-0x000000000098F000-memory.dmp

Filesize
636KB

Download
memory/2740-25-0x00000000022E0000-0x00000000025E3000-memory.dmp

Filesize
3.0MB

Download
memory/2820-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-24-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/2820-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-14-0x0000000000900000-0x0000000000C03000-memory.dmp

Filesize
3.0MB

Download
memory/2820-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-19-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/2820-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing