25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00

General

Target

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
Size

903KB
MD5

2ec00be64e179c3de3a63ed4d19d2b02
SHA1

563db59de0196434cea3ad0b9fa6c63c471bc5f3
SHA256

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00
SHA512

17f5672b53b21bb7946772999be18f4c16ac84762e061a5f495de8383b67aeb61f114b17033db5da18c59759189eaf968b7a58805f79165fdcc45486a7f39825
SSDEEP

12288:1TUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBh:dqI4MROxnFMLqrZlI0AilFEvxHiOB

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

Drops file in Windows directory 3 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
File opened for modification	C:\Windows\assembly	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

pid process

448 25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

pid process

448 25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

pid	process
448	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

pid	process
448	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.execsc.exe

description	pid	process	target process
PID 448 wrote to memory of 2988	448	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe	csc.exe
PID 448 wrote to memory of 2988	448	25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe	csc.exe
PID 2988 wrote to memory of 1884	2988	csc.exe	cvtres.exe
PID 2988 wrote to memory of 1884	2988	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe
"C:\Users\Admin\AppData\Local\Temp\25a3041691d6dd619674793fbc18b0d4a1ed4ccda48c69c2bf5fcfb853e54e00.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awn-zf2j.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96A3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC96A2.tmp"
    3⤵
    PID:1884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES96A3.tmp

Filesize
1KB

MD5
d912b5c9fc77b02c078153a4457756c4

SHA1
ce7c75ef846724634c9039568d19e1d738c197ca

SHA256
a7446708f9ab1e35eec964faf94a84413dd786cc3c3f9128265891a1c92aeb8a

SHA512
a65d599405734646f88a6dd62e7bed8edb215e28732697b56b3741e37e4b0aebf078e81411fe161c847dfa09c62e9975bd3f674923e8fea4c742a6d3fb5c0115

Download Submit
C:\Users\Admin\AppData\Local\Temp\awn-zf2j.dll

Filesize
76KB

MD5
2b3e82bd8cf46e0eb6660003ed6b3d81

SHA1
1a21307efb35164d0913e280498cb9a6ab6989e8

SHA256
fcda743af94bd792e747126eb5affbe79fd853e4920aaf99e694650ee6bf726e

SHA512
e67ab8085f85f8b8009ec30d03c6c632df8a1628d7f7c9c31fa25a9ded52b62cc92d7719a9f9b88117189d496cbfffe3bad75dae54fcad01e3f737c455fd33fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC96A2.tmp

Filesize
676B

MD5
4a6bddca88098b2edc3836c0e1633331

SHA1
5b816493816fd644f1a2e907df19ba1f8f4df4a8

SHA256
2dfac76650288b7cafd913bf5c155eacb9f76d8a8a12af239dfb77ca8f3f18b6

SHA512
4be907604b42aee8bf30a5ad05ded179e11a0949f277ee44f112456835ee4659fa83a79aca0b91736a694a7e3dfdd141698b13113ac52e24107458da2cf2b404

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awn-zf2j.0.cs

Filesize
208KB

MD5
c8cab05d32906f166d35d9ad1bef7cb9

SHA1
946b6b1f2b538beec0b141200e1447f99316e38d

SHA256
40a0e56fd593f2c931e20447c8e465fa183ad60be126bce7525b9c5d431fcd02

SHA512
a4a00f05728ae891801fda937fdd1bd1e7d02dc2209f48e5a4a13a150ddf1e7ba8d110ec37ce0bfd7273970e980ca30e9d371ea309c1cd975e2fe5a4ed2589b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awn-zf2j.cmdline

Filesize
349B

MD5
a7c52d634d769892cc17b59a6ed5314a

SHA1
81712b0bebca9dbf2ee0e14df4c5317614f60be0

SHA256
afc28050b875167bc7d991036f6b8b27eba8d0d24eb43266bd3f0892cd79236b

SHA512
5dc2429655039a84081abbc2fe096567df942b53dbcaf6596d1ffbe76b9c5c4afb53f8f5006359d2fb9c50f4d3160cafeac39b0185a90a55bf125c586b559042

Download Submit
memory/448-7-0x000000001BCE0000-0x000000001C1AE000-memory.dmp

Filesize
4.8MB

Download
memory/448-30-0x00007FF974E80000-0x00007FF975821000-memory.dmp

Filesize
9.6MB

Download
memory/448-0-0x00007FF975135000-0x00007FF975136000-memory.dmp

Filesize
4KB

Download
memory/448-6-0x00007FF974E80000-0x00007FF975821000-memory.dmp

Filesize
9.6MB

Download
memory/448-8-0x000000001C250000-0x000000001C2EC000-memory.dmp

Filesize
624KB

Download
memory/448-5-0x000000001B800000-0x000000001B80E000-memory.dmp

Filesize
56KB

Download
memory/448-2-0x000000001B600000-0x000000001B65C000-memory.dmp

Filesize
368KB

Download
memory/448-29-0x00007FF975135000-0x00007FF975136000-memory.dmp

Filesize
4KB

Download
memory/448-23-0x000000001C910000-0x000000001C926000-memory.dmp

Filesize
88KB

Download
memory/448-1-0x00007FF974E80000-0x00007FF975821000-memory.dmp

Filesize
9.6MB

Download
memory/448-25-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/448-26-0x000000001C940000-0x000000001C958000-memory.dmp

Filesize
96KB

Download
memory/448-27-0x00000000010F0000-0x0000000001100000-memory.dmp

Filesize
64KB

Download
memory/448-28-0x0000000001100000-0x0000000001108000-memory.dmp

Filesize
32KB

Download
memory/2988-16-0x00007FF974E80000-0x00007FF975821000-memory.dmp

Filesize
9.6MB

Download
memory/2988-21-0x00007FF974E80000-0x00007FF975821000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads