d95a517170fbc458ef4316e5983bc0b3ddb43dd98c32fd462f026f5061155344

General

Target

d95a517170fbc458ef4316e5983bc0b3ddb43dd98c32fd462f026f5061155344.exe
Size

903KB
MD5

a93e7dbe938820491dab85d3cec53c02
SHA1

b13d4953ae756189c236ed83ff98e87a37ea775a
SHA256

d95a517170fbc458ef4316e5983bc0b3ddb43dd98c32fd462f026f5061155344
SHA512

f47c4a311b78578e437fcf4097eec7616d471fd21e9e88405d6f3a55a2dbc0189a0f41404f4b79fb89997703b6b0e689b6e206ba2ab96465d054856468e6b66e
SSDEEP

12288:M8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvBI:l3s4MROxnF9LqrZlI0AilFEvxHiafo

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	d95a517170fbc458ef4316e5983bc0b3ddb43dd98c32fd462f026f5061155344.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	d95a517170fbc458ef4316e5983bc0b3ddb43dd98c32fd462f026f5061155344.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	d95a517170fbc458ef4316e5983bc0b3ddb43dd98c32fd462f026f5061155344.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	d95a517170fbc458ef4316e5983bc0b3ddb43dd98c32fd462f026f5061155344.exe
File opened for modification	C:\Windows\assembly	d95a517170fbc458ef4316e5983bc0b3ddb43dd98c32fd462f026f5061155344.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 388	3332	d95a517170fbc458ef4316e5983bc0b3ddb43dd98c32fd462f026f5061155344.exe	86
PID 3332 wrote to memory of 388	3332	d95a517170fbc458ef4316e5983bc0b3ddb43dd98c32fd462f026f5061155344.exe	86
PID 388 wrote to memory of 1668	388	csc.exe	88
PID 388 wrote to memory of 1668	388	csc.exe	88

C:\Users\Admin\AppData\Local\Temp\d95a517170fbc458ef4316e5983bc0b3ddb43dd98c32fd462f026f5061155344.exe
"C:\Users\Admin\AppData\Local\Temp\d95a517170fbc458ef4316e5983bc0b3ddb43dd98c32fd462f026f5061155344.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\slxjstuo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES734C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC734B.tmp"
    3⤵
    PID:1668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES734C.tmp

Filesize
1KB

MD5
9b7b848575a722f816cae103fb1cecd3

SHA1
4f51e263de2b63ad7cd3ffd8aad91150f2c5c554

SHA256
e17cc43f767e3255a4de57993cab1efb056fd05f021f52786dce2eac23141634

SHA512
e285ea44662c78455f59dffe9c89ce399dd5dde9f4e68dca4354b7fb30fc123f22506ebd2098e5dbc1c1872ddeea25d176d06b4a44d591e2bdf587dcfd5a39d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\slxjstuo.dll

Filesize
76KB

MD5
2441c03f37fcdb1b122fe7040f645dbe

SHA1
dc45ac246cddc8a2854e32cf6ccca7013518f2fa

SHA256
9742a99d30ed075630a6d5083de4e419b1f77ead24af48a51402b3a3692213c3

SHA512
f96a3a1d0abf90a06eaa2bf12eb1134f168085fe03080261673689cbb0d8f12f89964f70546d6edceba0ec8cf34419fdf72d42add88136c7a1b92273cabc8c70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC734B.tmp

Filesize
676B

MD5
e8d3dcb7608e612ff6834a7cc32cc450

SHA1
ed934c20144709d72f23b57ef46b06f02712f78b

SHA256
c90fbd23d32b556ef8c8b728a1a63d2b45af56bef73a6acccfec19f2e074aae0

SHA512
f223b9e8f7681a1fdf375fd106ac9f54b1b7a8f9a5392c0e2cc32895e5b47165acecab96e312ea931cc42c4d7eb17e66c34aa244976a2212d5486f2493a6ffff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\slxjstuo.0.cs

Filesize
208KB

MD5
d5ec5531844fafd3a4b5e1e1be1ba92b

SHA1
bebbf5729d949b6920534124e20b4e5249b777db

SHA256
59b2f9e7fecd97603ebeee79583ebe9645a4369eb835ff944601a520ed183be7

SHA512
cd841238fa7f05b2ce6be9ada736e39639d681011c5b320f7c63bf53196d08fc748479876a225a1653730a51281cc981d7b1192933b860280d22617fe46e40e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\slxjstuo.cmdline

Filesize
349B

MD5
18b23fb736acaf260940fa2e5654fa94

SHA1
e5ca9d54a8f0a4f5c6238c55fbc75d99da89271c

SHA256
ebd8038cb0229ae9dc533b01c46d43a8f60b027aef8a7433d9e6e17ee514fea4

SHA512
473c9709b03cc9358e5d6029404b663f7151f72be5f2918e0e8de51fdaadb31f8d7de27a09191e278fa8ad65797b9d15d0986d08627c0d7993c099c1b29e5440

Download Submit
memory/388-21-0x00007FFBE17D0000-0x00007FFBE2171000-memory.dmp

Filesize
9.6MB

Download
memory/388-14-0x00007FFBE17D0000-0x00007FFBE2171000-memory.dmp

Filesize
9.6MB

Download
memory/3332-0-0x00007FFBE1A85000-0x00007FFBE1A86000-memory.dmp

Filesize
4KB

Download
memory/3332-6-0x00007FFBE17D0000-0x00007FFBE2171000-memory.dmp

Filesize
9.6MB

Download
memory/3332-7-0x000000001C060000-0x000000001C52E000-memory.dmp

Filesize
4.8MB

Download
memory/3332-5-0x000000001BAF0000-0x000000001BAFE000-memory.dmp

Filesize
56KB

Download
memory/3332-2-0x000000001B900000-0x000000001B95C000-memory.dmp

Filesize
368KB

Download
memory/3332-8-0x000000001C5D0000-0x000000001C66C000-memory.dmp

Filesize
624KB

Download
memory/3332-23-0x000000001CC10000-0x000000001CC26000-memory.dmp

Filesize
88KB

Download
memory/3332-1-0x00007FFBE17D0000-0x00007FFBE2171000-memory.dmp

Filesize
9.6MB

Download
memory/3332-25-0x000000001B860000-0x000000001B872000-memory.dmp

Filesize
72KB

Download
memory/3332-26-0x0000000001400000-0x0000000001408000-memory.dmp

Filesize
32KB

Download
memory/3332-27-0x00007FFBE17D0000-0x00007FFBE2171000-memory.dmp

Filesize
9.6MB

Download
memory/3332-29-0x00007FFBE17D0000-0x00007FFBE2171000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads