afa0f8e585262f6b696c02f8e6df08307269834a9c84a609e89c6083ca81498e

General

Target

afa0f8e585262f6b696c02f8e6df08307269834a9c84a609e89c6083ca81498e.exe
Size

910KB
MD5

8a4767d2b571133c41b8bb96e170d4c4
SHA1

e2c309692c8cd1b75a86c6703b925a98198f13db
SHA256

afa0f8e585262f6b696c02f8e6df08307269834a9c84a609e89c6083ca81498e
SHA512

176ac9213b0391391b9f5c7f80749bc9eb67b57e14155e4b33af9ca34f6eeda022ae2abca363ee28316aed5c670c9406e868b7ad6044b899627c98c56a929c8b
SSDEEP

12288:h5STYf+qnR7Fkxh7dG1lFlWcYT70pxnnaaoawASIh4JWVGMrZNrI0AilFEvxHvBl:nhg4MROxnFp/iJkrZlI0AilFEvxHiQ3

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	afa0f8e585262f6b696c02f8e6df08307269834a9c84a609e89c6083ca81498e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	afa0f8e585262f6b696c02f8e6df08307269834a9c84a609e89c6083ca81498e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	afa0f8e585262f6b696c02f8e6df08307269834a9c84a609e89c6083ca81498e.exe
File created	C:\Windows\assembly\Desktop.ini	afa0f8e585262f6b696c02f8e6df08307269834a9c84a609e89c6083ca81498e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	afa0f8e585262f6b696c02f8e6df08307269834a9c84a609e89c6083ca81498e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 856	1396	afa0f8e585262f6b696c02f8e6df08307269834a9c84a609e89c6083ca81498e.exe	82
PID 1396 wrote to memory of 856	1396	afa0f8e585262f6b696c02f8e6df08307269834a9c84a609e89c6083ca81498e.exe	82
PID 856 wrote to memory of 4700	856	csc.exe	84
PID 856 wrote to memory of 4700	856	csc.exe	84

C:\Users\Admin\AppData\Local\Temp\afa0f8e585262f6b696c02f8e6df08307269834a9c84a609e89c6083ca81498e.exe
"C:\Users\Admin\AppData\Local\Temp\afa0f8e585262f6b696c02f8e6df08307269834a9c84a609e89c6083ca81498e.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kcshwn3i.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F8D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F8C.tmp"
    3⤵
    PID:4700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9F8D.tmp

Filesize
1KB

MD5
585e312337ed426ae3b665d826ede04c

SHA1
f88021aeb8430541755f3a3e4831881b757cb2b0

SHA256
d0ebd8cd0c8ab4f1ed8133c28b96489d6c81eceb30db1e9489915fcc6536441d

SHA512
f9637ff2c7ccb1ff6078ef6236f7c0d391e3346e1c58c530d59b076c4386ebc63d82d48c08f6ab9b60ac1ece4e50f3b228c2b7ca7c2654c3996a2373b2483dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcshwn3i.dll

Filesize
76KB

MD5
e25434e4e9558113a2c4af72ec3d715d

SHA1
a326a82b3db0aef4aa13c6db49894c11d72d9e47

SHA256
a1f8892b2d6b4768489e90a279ccdc1e2d0f73625524bb816c38b4343b867240

SHA512
eabf22f4a6ed7cf7e8e554fb59be6a86501c38b27c99f410fbf1bcbad0a44d43fdf1e30b14b2cd6d101a426295a6cc4d848d363b6a9b5dd50f46e0c0db674af9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9F8C.tmp

Filesize
676B

MD5
ec8b061b1daa65b61fcd477308fa16ce

SHA1
e020172293dc50b23feae0ddeb4626b137a999af

SHA256
e8048c3c7f8d848616d3df1423ec8c6e2a2442b7b7cb82bf29b65963ccf15292

SHA512
a5e3b0d67acb4e292615e59610c9719043f16209dfa75a2a409b933b711fd14679b0dcadd1b163a94d92267fe9a2156fbbf448b4ff6fc4aa10b9a97d4606eb38

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kcshwn3i.0.cs

Filesize
208KB

MD5
aac30622c5ca6acce582b2096477cac7

SHA1
d86f14ab6bbf76425ee62ea3ff9233eaf8a7dc21

SHA256
312fd79079d601bd5241d0e7af39bfe76980fea0f41d825bec980c91a9b2b631

SHA512
dd036b1832581f91e58a6aa161da4035c09502b83cd97424ae11e293d2fe3f01ead906717a9cab29c242a93bef86422827de28b2f84a90d2620a0029614ad220

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kcshwn3i.cmdline

Filesize
349B

MD5
4f064b66d839abbd3d756d039a807855

SHA1
aedd0ff2c5b998eb8c92e0642b1ca8061a00cc3c

SHA256
a3a3a286c3580a3933eb39728ec315e01e24637a3f0a7dc1618f09578bd22969

SHA512
f21acff784c5e83e4e1810e98bcb6694b420a77cb42234b2385fbc23c80659d1fe71fe25a1a4c877c9f60d2a71c074d43d7d5a460a9ac2a00f8689afab9367aa

Download Submit
memory/856-21-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp

Filesize
9.6MB

Download
memory/856-14-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp

Filesize
9.6MB

Download
memory/1396-7-0x000000001C040000-0x000000001C50E000-memory.dmp

Filesize
4.8MB

Download
memory/1396-8-0x000000001C5B0000-0x000000001C64C000-memory.dmp

Filesize
624KB

Download
memory/1396-0-0x00007FF915CC5000-0x00007FF915CC6000-memory.dmp

Filesize
4KB

Download
memory/1396-6-0x000000001BA20000-0x000000001BA2E000-memory.dmp

Filesize
56KB

Download
memory/1396-3-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp

Filesize
9.6MB

Download
memory/1396-2-0x000000001B930000-0x000000001B98C000-memory.dmp

Filesize
368KB

Download
memory/1396-1-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp

Filesize
9.6MB

Download
memory/1396-23-0x000000001C650000-0x000000001C666000-memory.dmp

Filesize
88KB

Download
memory/1396-25-0x0000000001350000-0x0000000001362000-memory.dmp

Filesize
72KB

Download
memory/1396-26-0x0000000001330000-0x0000000001338000-memory.dmp

Filesize
32KB

Download
memory/1396-27-0x0000000001320000-0x0000000001328000-memory.dmp

Filesize
32KB

Download
memory/1396-28-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp

Filesize
9.6MB

Download
memory/1396-30-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads