b7ddecbab111eeb2db8176f649a3a305fa8979b27fe9f5407b585cf1953ffa95

General

Target

b7ddecbab111eeb2db8176f649a3a305fa8979b27fe9f5407b585cf1953ffa95.exe
Size

910KB
MD5

5156c02ba456505eb44557a77869bfe3
SHA1

02191371b5aaf6cebe08299c0860c44aed0cfbbc
SHA256

b7ddecbab111eeb2db8176f649a3a305fa8979b27fe9f5407b585cf1953ffa95
SHA512

8be628a58be0a5bbacdf4a829718b8b4f11f902b1f2363d382525f078a6ef4214f859f4a470a12901a7e441fac6420bf2f79411a8d74fac9a62e5c011ab060ac
SSDEEP

12288:FLshHIzFBmqvjdFB7dG1lFlWcYT70pxnnaaoawuSIh4BBpGQrZNrI0AilFEvxHv7:Xrv4MROxnFf/i1rZlI0AilFEvxHiooY

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	b7ddecbab111eeb2db8176f649a3a305fa8979b27fe9f5407b585cf1953ffa95.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	b7ddecbab111eeb2db8176f649a3a305fa8979b27fe9f5407b585cf1953ffa95.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	b7ddecbab111eeb2db8176f649a3a305fa8979b27fe9f5407b585cf1953ffa95.exe
File created	C:\Windows\assembly\Desktop.ini	b7ddecbab111eeb2db8176f649a3a305fa8979b27fe9f5407b585cf1953ffa95.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	b7ddecbab111eeb2db8176f649a3a305fa8979b27fe9f5407b585cf1953ffa95.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 2820	1132	b7ddecbab111eeb2db8176f649a3a305fa8979b27fe9f5407b585cf1953ffa95.exe	85
PID 1132 wrote to memory of 2820	1132	b7ddecbab111eeb2db8176f649a3a305fa8979b27fe9f5407b585cf1953ffa95.exe	85
PID 2820 wrote to memory of 3140	2820	csc.exe	87
PID 2820 wrote to memory of 3140	2820	csc.exe	87

C:\Users\Admin\AppData\Local\Temp\b7ddecbab111eeb2db8176f649a3a305fa8979b27fe9f5407b585cf1953ffa95.exe
"C:\Users\Admin\AppData\Local\Temp\b7ddecbab111eeb2db8176f649a3a305fa8979b27fe9f5407b585cf1953ffa95.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5-ndhbaf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16EF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC16EE.tmp"
    3⤵
    PID:3140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5-ndhbaf.dll

Filesize
76KB

MD5
06412e5a63688701822df971df30efe6

SHA1
19da4d932b307af8c277124a5fca6c16412d3a56

SHA256
89cf0b6e29b8948acc074628de7c709ae48cec50c930212aa6fa338728fd38f9

SHA512
74174d50df946e2e6fb037c0dd2cb9234ab029392e525c952fe799af3c713eec9d8432cc6ecd9e34ef78d483f4e11cb58cba1a695de24ac039c9e50815fcd9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES16EF.tmp

Filesize
1KB

MD5
7e42e2a3c2092f3fd8c3ce0fbe85d4e0

SHA1
531a0f6c3dd3e57a9b44782a498b3ee06c38c15b

SHA256
4818208d3ab8b22dbbeac61d8951674015fcb80a0fe6f2ff776341dcc1cc84ea

SHA512
f8a52ff9ca6c06191c66611d5a216e37e806a50246727694ab500cc422cbbf08e4ce743a792bd0fc8861ddc32a66eb66a8984a28431d112fc04469058e46b900

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5-ndhbaf.0.cs

Filesize
208KB

MD5
953b9e5b6eb59c5e0a05534b1ee9223c

SHA1
54b8b55c9ce1c1a5b91d54eb61e8c93d4b8e2a9b

SHA256
8a64d989077798076db3f3e7a79cc895b494615012e2e5250dd9acc50707f4a3

SHA512
e7d3b9cc419f65228473a1e9ff3a6ce04ae9f6f1dc0b74f852f1c7bb5436a6e8fc05d4d7cfc38d880a9a40aa5ec1db5e9d847295ddbcada9bd9643a94953257a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5-ndhbaf.cmdline

Filesize
349B

MD5
77add284137d2d7f58a9d3733dedae5f

SHA1
6dad8791050b39a1b3a86257798bd8e25f451b99

SHA256
03d240dc5ca652cdbf874ccc167c4fb980c04031125d4ca96f07445059466e57

SHA512
f8d357d480644b498c78eab9fc2874a44eb0206085437d9222cc3787d1898b22da54ec496a00897b8df5816f6f9338c25fea22c06b08853ebe92b472d7ebc470

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC16EE.tmp

Filesize
676B

MD5
c1cd482b9a0b49f96459a928a0d836c6

SHA1
09b96481c56c28d988e975602767214f7ba0222c

SHA256
b5d05d2c26048058b4e046909067ac93de106af20c1d1977a2a3b188919fadbc

SHA512
ae257baf31b4274cdb1ef65e879277a022d81cb824d846276efb56f115b792b696e5c3590ac982ace67ea62f5bc5d79856cf38ce65e4b60e34d78f430af5f3e7

Download Submit
memory/1132-25-0x0000000001160000-0x0000000001172000-memory.dmp

Filesize
72KB

Download
memory/1132-0-0x00007FF8FAEA5000-0x00007FF8FAEA6000-memory.dmp

Filesize
4KB

Download
memory/1132-7-0x000000001C580000-0x000000001C61C000-memory.dmp

Filesize
624KB

Download
memory/1132-6-0x000000001C010000-0x000000001C4DE000-memory.dmp

Filesize
4.8MB

Download
memory/1132-5-0x000000001BB30000-0x000000001BB3E000-memory.dmp

Filesize
56KB

Download
memory/1132-30-0x00007FF8FAEA5000-0x00007FF8FAEA6000-memory.dmp

Filesize
4KB

Download
memory/1132-2-0x000000001B940000-0x000000001B99C000-memory.dmp

Filesize
368KB

Download
memory/1132-29-0x00007FF8FABF0000-0x00007FF8FB591000-memory.dmp

Filesize
9.6MB

Download
memory/1132-23-0x000000001CC40000-0x000000001CC56000-memory.dmp

Filesize
88KB

Download
memory/1132-1-0x00007FF8FABF0000-0x00007FF8FB591000-memory.dmp

Filesize
9.6MB

Download
memory/1132-8-0x00007FF8FABF0000-0x00007FF8FB591000-memory.dmp

Filesize
9.6MB

Download
memory/1132-26-0x0000000001140000-0x0000000001148000-memory.dmp

Filesize
32KB

Download
memory/1132-27-0x0000000001130000-0x0000000001138000-memory.dmp

Filesize
32KB

Download
memory/1132-28-0x00007FF8FABF0000-0x00007FF8FB591000-memory.dmp

Filesize
9.6MB

Download
memory/2820-21-0x00007FF8FABF0000-0x00007FF8FB591000-memory.dmp

Filesize
9.6MB

Download
memory/2820-19-0x00007FF8FABF0000-0x00007FF8FB591000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads