e15c3ff9de2290626cc24301d496ff18a89adb9832a93c3d17cd9e4a1484e8cc

General

Target

e15c3ff9de2290626cc24301d496ff18a89adb9832a93c3d17cd9e4a1484e8cc.exe
Size

903KB
MD5

50b929d34d4b8d8a1403372fa7c608cb
SHA1

a1edb9952c197496edc5455e5be1d8af886bf3ce
SHA256

e15c3ff9de2290626cc24301d496ff18a89adb9832a93c3d17cd9e4a1484e8cc
SHA512

825a59aabe859826d43f60785d6592948cfbb971a669f10ffe51439ef23c301c06ab63e0929a30b8abb4be558410de7e7a3feac894a108d410472a18da6af39d
SSDEEP

12288:48shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvB1:J3s4MROxnF9LqrZlI0AilFEvxHiXo

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	e15c3ff9de2290626cc24301d496ff18a89adb9832a93c3d17cd9e4a1484e8cc.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	e15c3ff9de2290626cc24301d496ff18a89adb9832a93c3d17cd9e4a1484e8cc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	e15c3ff9de2290626cc24301d496ff18a89adb9832a93c3d17cd9e4a1484e8cc.exe
File created	C:\Windows\assembly\Desktop.ini	e15c3ff9de2290626cc24301d496ff18a89adb9832a93c3d17cd9e4a1484e8cc.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	e15c3ff9de2290626cc24301d496ff18a89adb9832a93c3d17cd9e4a1484e8cc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 3560	1924	e15c3ff9de2290626cc24301d496ff18a89adb9832a93c3d17cd9e4a1484e8cc.exe	89
PID 1924 wrote to memory of 3560	1924	e15c3ff9de2290626cc24301d496ff18a89adb9832a93c3d17cd9e4a1484e8cc.exe	89
PID 3560 wrote to memory of 912	3560	csc.exe	91
PID 3560 wrote to memory of 912	3560	csc.exe	91

C:\Users\Admin\AppData\Local\Temp\e15c3ff9de2290626cc24301d496ff18a89adb9832a93c3d17cd9e4a1484e8cc.exe
"C:\Users\Admin\AppData\Local\Temp\e15c3ff9de2290626cc24301d496ff18a89adb9832a93c3d17cd9e4a1484e8cc.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kueqjoiv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC67D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC67C.tmp"
    3⤵
    PID:912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC67D.tmp

Filesize
1KB

MD5
ecd2af920a0ca8723ba4bb4e47ae4468

SHA1
75f0a3fe71a76a3283ebacce9201010426b60e1e

SHA256
29fa35365e81aeccf9728a96afcfe82a3d5239ec42668f67e96d48a7164ddca6

SHA512
346e1bf89f30086f5515ce06a4a8c51abbe834888b877aaa837e60746d695cf913fdffbe397653e881499c07775db3312f3b60a7dac59990a523342bf86eb7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kueqjoiv.dll

Filesize
76KB

MD5
1c9cc27d360ac95205b043b4b50ec0b4

SHA1
10470fbbf718b8335ca5ea3604eb93dcb49592ff

SHA256
9ccebf1e3892b89245e2726a91b6cbbf08be4962e7be6734af86f26087fd524e

SHA512
83fafa11152b4c139c5159d1816de2e1a7444421d313c8fb0f6aed319afa5221b4d105be7117e7b6ba499e6c07c479b01b83c9f752001a6f62076ed18d0279b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC67C.tmp

Filesize
676B

MD5
1125a4681f82613ed291cad08bcd4338

SHA1
0bdc26002c03d2a37c98293e3fe0660c58a80ac8

SHA256
12fc26563786dd8577efaf53be37f3b225f265c33cc7e383a77ca5c03e0a11e6

SHA512
38cb87b0e502e4df2b0e7cead2ed3ce593f6f493ccfb54daac526498393f449702d7e2e98e6bfbab94ac069c5f6f7ec1f93bb8367754e0fab66b13079e9d7511

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kueqjoiv.0.cs

Filesize
208KB

MD5
4f29881c451b864347626fa4f59fb1cb

SHA1
dd5bfc266d163cd171e39c8507658f06eea8b64b

SHA256
c0f4b4148376268a66f8ac5a7e4ee98e46c1d4194f44cd847ca55864771008e0

SHA512
8fd821a3bc712e566faa3afc4c112ab42138be63a215230feec44170ff79be7e914248d51f518ba17e141511e206b157983fa4428cbda91d8661ebef97c85094

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kueqjoiv.cmdline

Filesize
349B

MD5
e5a0c39669f29b9482e8c1276685613f

SHA1
ac635a3350d7ff8cfdfaa856e544dbc80520e9a6

SHA256
5d645297ecf7e299d43d4776274d7d43f76af23c27b1fc84e9df70c90203d8db

SHA512
2ef5bfc6447ba1d142c1e35831b5faeb28feafe4b8be51f7eda14bf8cbf64dac6f93849cd02fa243341fec5b44bb4a7cd2d07432db6f3f972bae95f8bcfc2f50

Download Submit
memory/1924-7-0x000000001C400000-0x000000001C8CE000-memory.dmp

Filesize
4.8MB

Download
memory/1924-25-0x000000001BC50000-0x000000001BC62000-memory.dmp

Filesize
72KB

Download
memory/1924-0-0x00007FFA36B75000-0x00007FFA36B76000-memory.dmp

Filesize
4KB

Download
memory/1924-6-0x000000001BEE0000-0x000000001BEEE000-memory.dmp

Filesize
56KB

Download
memory/1924-31-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

Filesize
9.6MB

Download
memory/1924-3-0x000000001BD10000-0x000000001BD6C000-memory.dmp

Filesize
368KB

Download
memory/1924-2-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

Filesize
9.6MB

Download
memory/1924-23-0x000000001D000000-0x000000001D016000-memory.dmp

Filesize
88KB

Download
memory/1924-1-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

Filesize
9.6MB

Download
memory/1924-29-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

Filesize
9.6MB

Download
memory/1924-8-0x000000001C970000-0x000000001CA0C000-memory.dmp

Filesize
624KB

Download
memory/1924-26-0x000000001BBC0000-0x000000001BBC8000-memory.dmp

Filesize
32KB

Download
memory/1924-27-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

Filesize
9.6MB

Download
memory/1924-28-0x00007FFA36B75000-0x00007FFA36B76000-memory.dmp

Filesize
4KB

Download
memory/3560-21-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

Filesize
9.6MB

Download
memory/3560-16-0x00007FFA368C0000-0x00007FFA37261000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads