481449cf6fc783f0ec2057882640f1952ceaf8c34ddcd26ed76d20654cb30374

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123123123qw3qew.exe
Size

903KB
MD5

ac40df4b922b8476be86ce4f3b4576d1
SHA1

b7b4ba3424288ae52178b0190574b252a7f9cdbe
SHA256

481449cf6fc783f0ec2057882640f1952ceaf8c34ddcd26ed76d20654cb30374
SHA512

579e71de8c28d0eebcb7324e298d110837f9d41423a77576fef21ee4044fe584c280b4c82a9c3da083885404b0148cc81b15d0b2f0b16bcc23407c91ee9966ab
SSDEEP

12288:hTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBu:xqI4MROxnFMLqrZlI0AilFEvxHi9B

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

Processes:

123123123qw3qew.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	123123123qw3qew.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	123123123qw3qew.exe

Drops file in Windows directory 3 IoCs

Processes:

123123123qw3qew.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	123123123qw3qew.exe
File created	C:\Windows\assembly\Desktop.ini	123123123qw3qew.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	123123123qw3qew.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

123123123qw3qew.execsc.exe

description	pid	process	target process
PID 2784 wrote to memory of 2996	2784	123123123qw3qew.exe	csc.exe
PID 2784 wrote to memory of 2996	2784	123123123qw3qew.exe	csc.exe
PID 2996 wrote to memory of 4348	2996	csc.exe	cvtres.exe
PID 2996 wrote to memory of 4348	2996	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\123123123qw3qew.exe
"C:\Users\Admin\AppData\Local\Temp\123123123qw3qew.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xyhjfr1c.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC034.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC033.tmp"
    3⤵
    PID:4348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC034.tmp

Filesize
1KB

MD5
66e102b98b00808aa3e631523d4e2655

SHA1
32f7d11c274c24444b40a25a7a0b841b63729e49

SHA256
dfc3910e4bfb20befaa0b66a0061c8da03a4f9ad3d0f9cfc2f6c2fd22997d810

SHA512
85aef07bb815e117ccbcef2ae1a0f4e50d865a7949715c6fcd6de45b55c3bec3fb8a0b0d5503d0d250905417a1641fc748bf86866f99b01972d2540be85d4bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyhjfr1c.dll

Filesize
76KB

MD5
24f4792524e4f9509368d5c902a3c2a1

SHA1
be18357f8153690f721dd1dfe260f6e5d48eb514

SHA256
1208d19d45bb6bd6ac5c190026de4a001e8279bbe3508eef1738de94ecd84e68

SHA512
464ca36642d5d9299c81dd334db6e0e8bbf3cc79fdd176a824b461c0cde3b9fd193ec3d83fbcf8721563fcb1d8da1b9f6b0ac718bea90f3e857fb470b3dcd09c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC033.tmp

Filesize
676B

MD5
1e580961f46699f69d2e08ece2306369

SHA1
bdd5e602fc318566d34f3385c31a80d01b36a9ee

SHA256
d2ba9ae03117d08ba5f951b5c5b0cb78f5ae40743fd159024cf96609aff46c48

SHA512
9019734c234515b8397cf91a03a52fae9d5b8d3acb14bc3530482e2e4c307b0f5696971445a00e99dbe3bad1f58fa922f662cf709f2ec853eec20d306049e3a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xyhjfr1c.0.cs

Filesize
208KB

MD5
351f1b86897ad95c8f25f07bde436b27

SHA1
e3d3eae58e2ea3ff31d23348eafb7e190bf36f74

SHA256
96702e4f0b014441dc34ff9eac3164b15fe0151dccd92525e3e0f563b37f4469

SHA512
84f7dd30d0bbf16a385b4bf76a72eea5bca849e928a6a6d9b928a3c897a2b966494d8beeefdb8a8cab1c6c63d4bc4cde84a9a700c4e901588dd99195f86b5ef7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xyhjfr1c.cmdline

Filesize
349B

MD5
015e26e2cb07f388f401c4cb8fccb7b7

SHA1
6f24dd0acd2d09ff3b14e199c033cf6b6077e176

SHA256
3b0814fa5953bc2424169de2fa5a0ee442afe9115c6905f77aed324375bef595

SHA512
611595d28c73afac2a01a15f95b34d8b87912f81ec650a2320dd0b392627c989929d324540263826a2e4965fa4a08948c4a484faf469da495eece6428f660fb5

Download Submit
memory/2784-7-0x000000001C1F0000-0x000000001C6BE000-memory.dmp

Filesize
4.8MB

Download
memory/2784-28-0x00007FF81A355000-0x00007FF81A356000-memory.dmp

Filesize
4KB

Download
memory/2784-0-0x00007FF81A355000-0x00007FF81A356000-memory.dmp

Filesize
4KB

Download
memory/2784-6-0x000000001BD00000-0x000000001BD0E000-memory.dmp

Filesize
56KB

Download
memory/2784-8-0x000000001C760000-0x000000001C7FC000-memory.dmp

Filesize
624KB

Download
memory/2784-5-0x00007FF81A0A0000-0x00007FF81AA41000-memory.dmp

Filesize
9.6MB

Download
memory/2784-2-0x000000001BB10000-0x000000001BB6C000-memory.dmp

Filesize
368KB

Download
memory/2784-29-0x00007FF81A0A0000-0x00007FF81AA41000-memory.dmp

Filesize
9.6MB

Download
memory/2784-1-0x00007FF81A0A0000-0x00007FF81AA41000-memory.dmp

Filesize
9.6MB

Download
memory/2784-23-0x000000001CE20000-0x000000001CE36000-memory.dmp

Filesize
88KB

Download
memory/2784-25-0x000000001BA70000-0x000000001BA82000-memory.dmp

Filesize
72KB

Download
memory/2784-26-0x000000001B9E0000-0x000000001B9E8000-memory.dmp

Filesize
32KB

Download
memory/2784-27-0x00007FF81A0A0000-0x00007FF81AA41000-memory.dmp

Filesize
9.6MB

Download
memory/2996-16-0x00007FF81A0A0000-0x00007FF81AA41000-memory.dmp

Filesize
9.6MB

Download
memory/2996-21-0x00007FF81A0A0000-0x00007FF81AA41000-memory.dmp

Filesize
9.6MB

Download