d7098d7ed2c1b71a5e034e7dc723aa3d9a9caca9380bb36105fc1a8fcd2b8f68

General

Target

6f7ea846d25d22ff2e5ca254b8179800N.exe
Size

184KB
MD5

6f7ea846d25d22ff2e5ca254b8179800
SHA1

7908cc4fceccb18b479329abaa17402088476cf0
SHA256

d7098d7ed2c1b71a5e034e7dc723aa3d9a9caca9380bb36105fc1a8fcd2b8f68
SHA512

a72d030c0db43e9eba5c22ed7d5663f4d60f7ae40f14a5af2c1749dd874d05e8cfd691a335a5f8386940c507aac3beaafadbb9c28b007004ef5002e85443dac6
SSDEEP

3072:5JUv6jonblxNdiDZhiT8sqWZlvnqCxiup:5JJorbiDw8DWZlPqCxiu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
4216	Unicorn-3534.exe
3520	Unicorn-5283.exe
1032	Unicorn-63332.exe
4388	Unicorn-55844.exe
5016	Unicorn-49892.exe
3672	Unicorn-54692.exe
1360	Unicorn-47204.exe
2080	Unicorn-6947.exe

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1428	3192	WerFault.exe	83
3792	4216	WerFault.exe	87
2584	3520	WerFault.exe	95
1908	1032	WerFault.exe	99
1464	4388	WerFault.exe	103
836	5016	WerFault.exe	107
1336	3672	WerFault.exe	110
4144	2080	WerFault.exe	116
4548	1360	WerFault.exe	113

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3192	6f7ea846d25d22ff2e5ca254b8179800N.exe
4216	Unicorn-3534.exe
3520	Unicorn-5283.exe
1032	Unicorn-63332.exe
4388	Unicorn-55844.exe
5016	Unicorn-49892.exe
3672	Unicorn-54692.exe
1360	Unicorn-47204.exe
2080	Unicorn-6947.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4216	3192	6f7ea846d25d22ff2e5ca254b8179800N.exe	87
PID 3192 wrote to memory of 4216	3192	6f7ea846d25d22ff2e5ca254b8179800N.exe	87
PID 3192 wrote to memory of 4216	3192	6f7ea846d25d22ff2e5ca254b8179800N.exe	87
PID 4216 wrote to memory of 3520	4216	Unicorn-3534.exe	95
PID 4216 wrote to memory of 3520	4216	Unicorn-3534.exe	95
PID 4216 wrote to memory of 3520	4216	Unicorn-3534.exe	95
PID 3520 wrote to memory of 1032	3520	Unicorn-5283.exe	99
PID 3520 wrote to memory of 1032	3520	Unicorn-5283.exe	99
PID 3520 wrote to memory of 1032	3520	Unicorn-5283.exe	99
PID 1032 wrote to memory of 4388	1032	Unicorn-63332.exe	103
PID 1032 wrote to memory of 4388	1032	Unicorn-63332.exe	103
PID 1032 wrote to memory of 4388	1032	Unicorn-63332.exe	103
PID 4388 wrote to memory of 5016	4388	Unicorn-55844.exe	107
PID 4388 wrote to memory of 5016	4388	Unicorn-55844.exe	107
PID 4388 wrote to memory of 5016	4388	Unicorn-55844.exe	107
PID 5016 wrote to memory of 3672	5016	Unicorn-49892.exe	110
PID 5016 wrote to memory of 3672	5016	Unicorn-49892.exe	110
PID 5016 wrote to memory of 3672	5016	Unicorn-49892.exe	110
PID 3672 wrote to memory of 1360	3672	Unicorn-54692.exe	113
PID 3672 wrote to memory of 1360	3672	Unicorn-54692.exe	113
PID 3672 wrote to memory of 1360	3672	Unicorn-54692.exe	113
PID 1360 wrote to memory of 2080	1360	Unicorn-47204.exe	116
PID 1360 wrote to memory of 2080	1360	Unicorn-47204.exe	116
PID 1360 wrote to memory of 2080	1360	Unicorn-47204.exe	116

C:\Users\Admin\AppData\Local\Temp\6f7ea846d25d22ff2e5ca254b8179800N.exe
"C:\Users\Admin\AppData\Local\Temp\6f7ea846d25d22ff2e5ca254b8179800N.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\Unicorn-3534.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-3534.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-5283.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-5283.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-63332.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-63332.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-55844.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-55844.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-49892.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-49892.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54692.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-54692.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47204.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-47204.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6947.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-6947.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 492
        10⤵
        Program crash
        
        PID:4144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 744
        9⤵
        Program crash
        
        PID:4548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 724
        8⤵
        Program crash
        
        PID:1336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 724
        7⤵
        Program crash
        
        PID:836
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 724
        6⤵
        Program crash
        
        PID:1464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 724
        5⤵
        Program crash
        
        PID:1908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 724
      4⤵
      Program crash
      PID:2584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 744
    3⤵
    - Program crash
    PID:3792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 744
  2⤵
  - Program crash
  PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3192 -ip 3192
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4216 -ip 4216
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3520 -ip 3520
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1032 -ip 1032
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4388 -ip 4388
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5016 -ip 5016
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3672 -ip 3672
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2080 -ip 2080
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1360 -ip 1360
1⤵
PID:4320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unicorn-3534.exe

Filesize
184KB

MD5
a7b92a02c0284061d16062cbcc9b29a0

SHA1
389d589a8ff52cc2a32b16cd8cc391d58e22ad59

SHA256
7393d50dabb730b26a471aa8ba3dbbb0d7cba93c5a9c1028387f731a7c44850d

SHA512
cb274440b3f2542054daf7489fef61d435cd6923ac54ace411996041c1bb48d0673b7316afd568fd76795bf8d9aac05d59495664396a5916f451077019335bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-47204.exe

Filesize
184KB

MD5
03e6519e3effdcb5d8ce9573e2eff5d6

SHA1
c84b70b1a463524e4b175345fb9de63556c64de2

SHA256
91b113708c163dce1fe7dfd7895950607779ea6f50cdcb48d237eb014a157c86

SHA512
588827edca5d447d7f94100568f766e0ff1512011ea5de0c8f7c7fbf597e88e96402a9e457a568ab2bd4ecbbd87602ed39913ab14b18a1e6631af4c1e5fdbe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-49892.exe

Filesize
184KB

MD5
1ecbdc448d00ce2db08d39678b28851f

SHA1
965de021be12c1977f57b0a72d6de27ff4d3b48d

SHA256
1967dae6428f4ccce94aa7f96400d69249431990d8f8859c988d1bbf128f178b

SHA512
ac85e4124838de781adc8359a1301116898776c9ee70ca7d17de0f3bab6c3aafbc3ab6f999a802c7c25fde58c301aea008bafd300d20d69634a81b0f11e37202

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-5283.exe

Filesize
184KB

MD5
0dc3620b48db64ddd878f5fa4b106fea

SHA1
054d5e483154fba6229a8912fe40aa992bed81d0

SHA256
efdb3331443e63e50b5aa369de1c2d77735ca2cc86ad2b66b6204293f6856c54

SHA512
a95f87b0fb4a623273ba06231aa711b86a18e71cb598ff5e9c0699b9eff78bf5f6075959a9013057f61b4a3287a22e38f87ccfa6ff8f5fc9cd77fd55c21bdfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-54692.exe

Filesize
184KB

MD5
53509d63b67d278fb9755e217c864914

SHA1
9688bb07962a787857d9857d11d1a741af0b482b

SHA256
e40dc53e2e3f2f8773eea489c58dbedbc48515f97f336c48bfa00635b75510ef

SHA512
6c55556464cf67aee29d156f311d7b1347062fa4df2feb7edc2b2ece5491e50e5c33c266e97d09888f83123fdf3c6687b119e90f82ca92718153c64f26f0ec50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-55844.exe

Filesize
184KB

MD5
c83038ca6bd6ebf4d5e9b6e898575dd9

SHA1
c2277f53d8c75abe3e3730a97c50e7056267e0d7

SHA256
d496c9ca826eb9a16ede232be619e800211e557e2aaf2452dbfe80ba689f0757

SHA512
cb6bf148af1348cae66c5bd9e8788adb3b06e8144b38994b7260d8ee5066bc204aa63bea458c2baeef9156e300cf362c5a797fc939bb0c54fb9de909d8fa8f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-63332.exe

Filesize
184KB

MD5
ce0315495781f581a0e534ef99ede5d2

SHA1
3bbef625809836ce46869bfab139ef0ce5318dc4

SHA256
3b1a81ceca4674d26e36b276454297b903f35dc5f46c68af78b08b7313c28e01

SHA512
cc924ac5ee8b2843980b1957dfc2a0ef969b3fd1510e6bd9c42d10394a7885baa2b1dad9d3e057461d85b74f281a5b91b6b0aecd44a2f5ada1b3f9e8ed455ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unicorn-6947.exe

Filesize
184KB

MD5
b2909dc261b727405dc7150eab3d3235

SHA1
b11d52f8e5474905d526b170bb8d647de58dd658

SHA256
361a28fdd62926aeb32f00e0cec4de75c036dbdfb140da216987d66651ca9a82

SHA512
a6ad6b122d6ac86b0ae41878adba8c2434b7f225fe781441aa20f4031025c08187bc0837caf9db56464e71378474f06db4d3ab0e98a1162f902cc3b1b0f4099f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads