78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97

General

Target

78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe
Size

903KB
MD5

e01f6c2e3489ec4f372f5e42043c76ad
SHA1

ff18a6f8f0535cb90bd1be41c5f751eb7e68c9bf
SHA256

78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97
SHA512

b7eb8aaf68bc5a91e94bb1889cda2d0c22af3cbf4011134b6b4d86d08ca6e945002f868a3c818fb0aa0e551193863167c874f4780aa93142b7e74768d96dd932
SSDEEP

12288:Y8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvBJ:p3s4MROxnF9LqrZlI0AilFEvxHi8b8o

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe
File created	C:\Windows\assembly\Desktop.ini	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 4568	2648	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe	82
PID 2648 wrote to memory of 4568	2648	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe	82
PID 4568 wrote to memory of 536	4568	csc.exe	84
PID 4568 wrote to memory of 536	4568	csc.exe	84

C:\Users\Admin\AppData\Local\Temp\78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe
"C:\Users\Admin\AppData\Local\Temp\78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o-xryleu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC7B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC7A.tmp"
    3⤵
    PID:536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBC7B.tmp

Filesize
1KB

MD5
b67a16de9588d200583c418549edb820

SHA1
a6ce88a0d4a571d15c7c5cd598c2fae808c62f21

SHA256
80b151e3ca7ee0b3f38e150825cc87d88ff0c9f492c546d493d7ef60512bc0cb

SHA512
f6c3f6d40d5d2495961eb81d9688db94060bc2c8542acae59ce35004bfb8e2471fd965d291b1568738d18f55be60649f6fe7242e4c0bb9dbbf4f75e5081a48c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\o-xryleu.dll

Filesize
76KB

MD5
a102ac0043981bff5ff2591dc80e5998

SHA1
ffc73dd7d20ab53b1f2162a1208ebe3e56a2d86d

SHA256
6abd6de95a8e98f2ae405b65133b0671d6ef298e05dbd6becdacf013e65c8932

SHA512
eb778a6ceb038297187a9da4d6d7ef951f2ee27a00d0634e068259d7bd32312dbe9e89c338ec1fb9a1fc68e4840af2c0492e3be557dbde5540e6c7c65534a1b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBC7A.tmp

Filesize
676B

MD5
88e53182aae64bcf219a7bf5150e59e2

SHA1
1fa035a842b397c583eb465347016db31c54d9bb

SHA256
bcca601632b203ad5b6f6f2b8845dabf6859d7371a5a81de0e9151c2611055ab

SHA512
8fb6934eb38412e464568afb68271a14e67c4b61fb5fc14f8d49104773f2c6a88c2f1515e2b9dffd0ff9e2ad70ab34676d63bbbfe61b2839ca9bd03c8bc36adc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o-xryleu.0.cs

Filesize
208KB

MD5
24849219cb763fc6e33306ae0f115bd8

SHA1
7ab33d317cc68f1548eedd33df934c3f06dd1c6e

SHA256
2237d922ccf8ac7397264f5013974b1025e2738423b780aeb8f6a318f9ccc459

SHA512
5c2b857138fb15a6516aa9db1fd04c8c1db23d136c0317c1184d4240d25e752e40cd6f50e7d133dbc2781483b191c6795447683bf2333fb0f785774115c9ca80

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o-xryleu.cmdline

Filesize
349B

MD5
085df8c7ee382ce82afe30b19059ec3d

SHA1
3eb5a4204c0e248eebff12ca21d99eea5fbfbe73

SHA256
c53ab87a493f146ef811c25f80f16e4c6f453dafb4e1c68c09b221686d5d90c3

SHA512
d285b578c5812b38d5de36c8718be7bfe5638b429f84d62f817a2d92747f26ee4e97468facdf2e40f089e21c6c7bba159ff8fabaa617e09541bfcb02abfbdc28

Download Submit
memory/2648-25-0x000000001B5D0000-0x000000001B5E2000-memory.dmp

Filesize
72KB

Download
memory/2648-0-0x00007FFBAC935000-0x00007FFBAC936000-memory.dmp

Filesize
4KB

Download
memory/2648-7-0x000000001BDB0000-0x000000001C27E000-memory.dmp

Filesize
4.8MB

Download
memory/2648-6-0x000000001B8D0000-0x000000001B8DE000-memory.dmp

Filesize
56KB

Download
memory/2648-3-0x000000001B6E0000-0x000000001B73C000-memory.dmp

Filesize
368KB

Download
memory/2648-31-0x00007FFBAC680000-0x00007FFBAD021000-memory.dmp

Filesize
9.6MB

Download
memory/2648-2-0x00007FFBAC680000-0x00007FFBAD021000-memory.dmp

Filesize
9.6MB

Download
memory/2648-29-0x00007FFBAC680000-0x00007FFBAD021000-memory.dmp

Filesize
9.6MB

Download
memory/2648-1-0x00007FFBAC680000-0x00007FFBAD021000-memory.dmp

Filesize
9.6MB

Download
memory/2648-23-0x000000001C9E0000-0x000000001C9F6000-memory.dmp

Filesize
88KB

Download
memory/2648-8-0x000000001C320000-0x000000001C3BC000-memory.dmp

Filesize
624KB

Download
memory/2648-26-0x000000001B5A0000-0x000000001B5A8000-memory.dmp

Filesize
32KB

Download
memory/2648-27-0x00007FFBAC680000-0x00007FFBAD021000-memory.dmp

Filesize
9.6MB

Download
memory/2648-28-0x00007FFBAC935000-0x00007FFBAC936000-memory.dmp

Filesize
4KB

Download
memory/4568-21-0x00007FFBAC680000-0x00007FFBAD021000-memory.dmp

Filesize
9.6MB

Download
memory/4568-16-0x00007FFBAC680000-0x00007FFBAD021000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads