25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00

General

Target

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
Size

903KB
MD5

2ec00be64e179c3de3a63ed4d19d2b02
SHA1

563db59de0196434cea3ad0b9fa6c63c471bc5f3
SHA256

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00
SHA512

17f5672b53b21bb7946772999be18f4c16ac84762e061a5f495de8383b67aeb61f114b17033db5da18c59759189eaf968b7a58805f79165fdcc45486a7f39825
SSDEEP

12288:1TUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBh:dqI4MROxnFMLqrZlI0AilFEvxHiOB

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

Drops file in Windows directory 3 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
File created	C:\Windows\assembly\Desktop.ini	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

pid process

868 25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

pid process

868 25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

pid	process
868	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

pid	process
868	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.execsc.exe

description	pid	process	target process
PID 868 wrote to memory of 3568	868	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe	csc.exe
PID 868 wrote to memory of 3568	868	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe	csc.exe
PID 3568 wrote to memory of 2372	3568	csc.exe	cvtres.exe
PID 3568 wrote to memory of 2372	3568	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
"C:\Users\Admin\AppData\Local\Temp\25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gomcg72m.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD13.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDD12.tmp"
    3⤵
    PID:2372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDD13.tmp

Filesize
1KB

MD5
596747208f1f4b7090feeef3f51ed9c3

SHA1
034d857513f98efd171a4b82c7226c639ff348df

SHA256
fe884ede55a5099d43896e07399e10fb6d73550281aada5a90231ca65454ac1f

SHA512
2fbd0c645bd91cc0618429decc756cb90c078247a618f60c4844ba0f105b3f50d14932da4bb258cf9bcc916babb7541edca0cc4b0391f1aca5c87115d6e39426

Download Submit
C:\Users\Admin\AppData\Local\Temp\gomcg72m.dll

Filesize
76KB

MD5
ab1a6e28b1fabdcd139750e2b844ad13

SHA1
e39d737a1d3eacdf861e706d182bfeeb1fe925d1

SHA256
0dd62d3445ca78a5241046ddd8e163356e1750252caeb0c9f2e56eafdeecf97d

SHA512
435f70d29e8bc599590effc32f6fdc4a4ebd735c3d5cd8aa82908de60cf8331178806e415ab3ff5b140fa46693c8600f8fdb63895a35c9e98aa5779831953c06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDD12.tmp

Filesize
676B

MD5
d49ee1a31387b65520158599bdbef6aa

SHA1
025c85700dd4c282666875e713a87e3d8a744c55

SHA256
8d3bb3012708b9e49ad298409a33b76ca375d4b81964a17ce8e0034cd2f5f87a

SHA512
695aa054334567a0db11870ddfdb6190a00094cdf06e13aefa79c61dc9087f17e201d6699fb851436214cd1fc5710ff360b652059a0b1b1234d260ed28082745

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gomcg72m.0.cs

Filesize
208KB

MD5
632cbbff7231ca5488c9b9b5357239fe

SHA1
8103f936cb06c9ed23c768e6526261d8fb48cef4

SHA256
b9a514d87d8045ede26d9e120dac84766e552a13e9e7cea27d52e2f8bac5d34c

SHA512
5f6f65ac6debae889e92522bdb6f276b4fee0539a469b8aeabb74c5a8f65b553e2006232b96aed66388b4b0a7ffad2b01909f74d97f43dafc757638bb2b8adf3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gomcg72m.cmdline

Filesize
349B

MD5
ea79bf7492266795522502ad9e9f78fb

SHA1
9f0a97eaba8a70be80c28abd008cdce03c66b914

SHA256
5d0e8ca09a26f1e0630e221c3e0d375f6a6817d26e14b1a64db96df3b19db474

SHA512
395baffba8437e5ee00266675e7cc3c0d2ab4ceb37fdeb3b9c3d5081a8d9af63fcb885d939b429ee76103aed4493512f02bec16f9b5210597ae9b1769583db23

Download Submit
memory/868-7-0x000000001BCC0000-0x000000001C18E000-memory.dmp

Filesize
4.8MB

Download
memory/868-30-0x00007FFDF7570000-0x00007FFDF7F11000-memory.dmp

Filesize
9.6MB

Download
memory/868-0-0x00007FFDF7825000-0x00007FFDF7826000-memory.dmp

Filesize
4KB

Download
memory/868-6-0x00007FFDF7570000-0x00007FFDF7F11000-memory.dmp

Filesize
9.6MB

Download
memory/868-8-0x000000001C230000-0x000000001C2CC000-memory.dmp

Filesize
624KB

Download
memory/868-5-0x000000001B7E0000-0x000000001B7EE000-memory.dmp

Filesize
56KB

Download
memory/868-2-0x000000001B5F0000-0x000000001B64C000-memory.dmp

Filesize
368KB

Download
memory/868-29-0x00007FFDF7825000-0x00007FFDF7826000-memory.dmp

Filesize
4KB

Download
memory/868-23-0x000000001C700000-0x000000001C716000-memory.dmp

Filesize
88KB

Download
memory/868-1-0x00007FFDF7570000-0x00007FFDF7F11000-memory.dmp

Filesize
9.6MB

Download
memory/868-25-0x000000001B540000-0x000000001B552000-memory.dmp

Filesize
72KB

Download
memory/868-26-0x000000001C930000-0x000000001C948000-memory.dmp

Filesize
96KB

Download
memory/868-27-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

Filesize
64KB

Download
memory/868-28-0x000000001B4B0000-0x000000001B4B8000-memory.dmp

Filesize
32KB

Download
memory/3568-16-0x00007FFDF7570000-0x00007FFDF7F11000-memory.dmp

Filesize
9.6MB

Download
memory/3568-21-0x00007FFDF7570000-0x00007FFDF7F11000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads