fb1268b211f329c33cdd2b2de809657732042cf0056b45e85f948beb7219e09b

General

Target

fb1268b211f329c33cdd2b2de809657732042cf0056b45e85f948beb7219e09b.exe
Size

903KB
MD5

347506ed49af315cfdc27220fac57622
SHA1

cbee3288a973a152a98478412e9cbef4b994a397
SHA256

fb1268b211f329c33cdd2b2de809657732042cf0056b45e85f948beb7219e09b
SHA512

1077da878b4f8adada977bae4b8a8207e6d154335b571bd3d15551b6966ab48cc5808a2d6c4060da31290fa203b34eb01ad86b2e1c571e9d0d2e68db99587c1a
SSDEEP

12288:VUzyPotpL82hF457dG1lFlWcYT70pxnnaaoawkRVcTqSA+9rZNrI0AilFEvxHvBE:bcI4MROxnF1LqrZlI0AilFEvxHiksG0

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	fb1268b211f329c33cdd2b2de809657732042cf0056b45e85f948beb7219e09b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fb1268b211f329c33cdd2b2de809657732042cf0056b45e85f948beb7219e09b.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	fb1268b211f329c33cdd2b2de809657732042cf0056b45e85f948beb7219e09b.exe
File created	C:\Windows\assembly\Desktop.ini	fb1268b211f329c33cdd2b2de809657732042cf0056b45e85f948beb7219e09b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fb1268b211f329c33cdd2b2de809657732042cf0056b45e85f948beb7219e09b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 2084	4656	fb1268b211f329c33cdd2b2de809657732042cf0056b45e85f948beb7219e09b.exe	85
PID 4656 wrote to memory of 2084	4656	fb1268b211f329c33cdd2b2de809657732042cf0056b45e85f948beb7219e09b.exe	85
PID 2084 wrote to memory of 2348	2084	csc.exe	87
PID 2084 wrote to memory of 2348	2084	csc.exe	87

C:\Users\Admin\AppData\Local\Temp\fb1268b211f329c33cdd2b2de809657732042cf0056b45e85f948beb7219e09b.exe
"C:\Users\Admin\AppData\Local\Temp\fb1268b211f329c33cdd2b2de809657732042cf0056b45e85f948beb7219e09b.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lcrvm8go.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDDEC.tmp"
    3⤵
    PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDDED.tmp

Filesize
1KB

MD5
79369d7f86b2e387ba351e9a3929e4cb

SHA1
28960ce27031d44d23af5e4a94c1995532218eb4

SHA256
bce4514e9ce4c30c8c98784186dd1d1bb2178edf4d4b40e52959c52513e8f551

SHA512
aee2a0d72ba9156b529f978b6b5aca150a8b48cfb5664de5b1884f5bc492b496582bc730e627bbdf06fe5a24dc33bc7b2b58fa100c8976e4c517cd1dabd8ff77

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcrvm8go.dll

Filesize
76KB

MD5
915a4c1ed3dcba434654fccad00258d4

SHA1
6d67d655fcd8bb62d9ac349e63d52c8bef33b521

SHA256
0baa3ef540e5c5c29ad8aa4d606f1fd92eccfe9e4444c21d7a5a422e524d9d44

SHA512
b8e833e1a4f3d1bddbb07055822f1ce8ece34da225d8512730ed73305c368fdf47e3a8c361cee492ae57d71d8f795ce32230407fc4b51ca0830c9816233b130b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDDEC.tmp

Filesize
676B

MD5
3643fb9c8ebd973d9efa776474b3a19c

SHA1
160ab2388f0eac9ce866b784e6fa806d0990eb14

SHA256
41efe4a0c4e328f9b1986146bde0ea4ca10deeaecd8b4a287eb259872fa23283

SHA512
f91f5bae305bd850c28ca0ce980ad5289a6af230e9b1cb0723f2aec0a1d8c9b0b311e3cf4e37ef40778df76d0aca9d4016d987d2b90e2e7b3363b7eb0346ae13

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lcrvm8go.0.cs

Filesize
208KB

MD5
944a6d73ae74a99d5a1f03b5804a50aa

SHA1
45b03d7e7f031b87e71e2f3d0b5b3648ddc70d72

SHA256
10f5496c6b2ee7bec7b1a24513477736834d0771e05f77f7dff2507502795b97

SHA512
f4ad14051814bf4593c3f3d44f1b0a3066d002d689d468f0eee85dde8e5bda9c2209d9b1900a49e1e857c19210efe7ee7052884fc1cf29877c15d187bf4e9bea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lcrvm8go.cmdline

Filesize
349B

MD5
d07cc8121453249ffc97040b56c52191

SHA1
991916c18150fba946e3c80b13a1b9d1dc728009

SHA256
8b13af42c37a68376b439ea27aee285472349cac75629c0a658d47ad8d51359f

SHA512
10a8a6c13cca1c5bf76e9007f40d83ef83fe6c50790b257260da4d9109ad986f2167dda65c7b77a103472935a1fb8ab9ff0b47dc7c7f588fabfab7533311cfab

Download Submit
memory/2084-21-0x00007FFBA0EA0000-0x00007FFBA1841000-memory.dmp

Filesize
9.6MB

Download
memory/2084-16-0x00007FFBA0EA0000-0x00007FFBA1841000-memory.dmp

Filesize
9.6MB

Download
memory/4656-0-0x00007FFBA1155000-0x00007FFBA1156000-memory.dmp

Filesize
4KB

Download
memory/4656-6-0x00007FFBA0EA0000-0x00007FFBA1841000-memory.dmp

Filesize
9.6MB

Download
memory/4656-7-0x000000001BCF0000-0x000000001C1BE000-memory.dmp

Filesize
4.8MB

Download
memory/4656-5-0x000000001B810000-0x000000001B81E000-memory.dmp

Filesize
56KB

Download
memory/4656-2-0x000000001B630000-0x000000001B68C000-memory.dmp

Filesize
368KB

Download
memory/4656-8-0x000000001C260000-0x000000001C2FC000-memory.dmp

Filesize
624KB

Download
memory/4656-23-0x000000001C920000-0x000000001C936000-memory.dmp

Filesize
88KB

Download
memory/4656-1-0x00007FFBA0EA0000-0x00007FFBA1841000-memory.dmp

Filesize
9.6MB

Download
memory/4656-25-0x000000001B570000-0x000000001B582000-memory.dmp

Filesize
72KB

Download
memory/4656-26-0x000000001B4E0000-0x000000001B4E8000-memory.dmp

Filesize
32KB

Download
memory/4656-27-0x00007FFBA0EA0000-0x00007FFBA1841000-memory.dmp

Filesize
9.6MB

Download
memory/4656-29-0x00007FFBA0EA0000-0x00007FFBA1841000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads