78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97

General

Target

78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe
Size

903KB
MD5

e01f6c2e3489ec4f372f5e42043c76ad
SHA1

ff18a6f8f0535cb90bd1be41c5f751eb7e68c9bf
SHA256

78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97
SHA512

b7eb8aaf68bc5a91e94bb1889cda2d0c22af3cbf4011134b6b4d86d08ca6e945002f868a3c818fb0aa0e551193863167c874f4780aa93142b7e74768d96dd932
SSDEEP

12288:Y8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvBJ:p3s4MROxnF9LqrZlI0AilFEvxHi8b8o

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe
File created	C:\Windows\assembly\Desktop.ini	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 380	1928	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe	83
PID 1928 wrote to memory of 380	1928	78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe	83
PID 380 wrote to memory of 4816	380	csc.exe	85
PID 380 wrote to memory of 4816	380	csc.exe	85

C:\Users\Admin\AppData\Local\Temp\78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe
"C:\Users\Admin\AppData\Local\Temp\78afefee16a6e648a08f0e348c086dde76f917e24b45dd4c64124fa0645f8d97.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mzoo3hi0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A3D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9A3C.tmp"
    3⤵
    PID:4816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9A3D.tmp

Filesize
1KB

MD5
b3e415efadbcf1ad9945078de578638a

SHA1
333bd87065354208e10cfdbc459672da81c6ae1c

SHA256
8d3f0214f18ccfd1507ee662e5ae58c428b9f1e7e96906ecbfb73693690703dd

SHA512
ddaae759900d7e2eab6b349944449fcd7b641151a57a12cb0f4f4bf77392f16d1ef862b7504ed3ea1ef27d99670cabbf799d131d4c04ab51139f0a1a6981d54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzoo3hi0.dll

Filesize
76KB

MD5
3fdcfdfbc32d59bbf4bd55a8c291a842

SHA1
cb8e267c516af35fb80d8fc3bac0f49803f24eb9

SHA256
0cec692542dacf56debd18d555e298d183d7ede714cbd7e983839e03f2f91a87

SHA512
96488ceae1c10631ace6eaa2acca177a2b64cbff5eba5bece1641f3ef6d50b3a39f31fdb0b6af1c113aa876afe39775a2886d0b67d296659ab85d1fb47b27f63

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9A3C.tmp

Filesize
676B

MD5
abf193f42f3c064383ef287edf4b8009

SHA1
9eb1828df289b52db97cbf16a10f7ff513f049cb

SHA256
11e68fa8756bb9fa4d25b08681ac1b0afc247cd19b91dca05a8c227026509315

SHA512
5cbe81cc5b8d42baf23bdd48bd567f682e74d7fb4871eb7bd13b0d26f430df753a316ab8786f632137bd7622594233f92aff48a1d771cf59b08defcf52aae24c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mzoo3hi0.0.cs

Filesize
208KB

MD5
eff09a4d83955084eed3edb0703e849d

SHA1
fc84ade52bc6b68f1cf7dacab7b9f3004fcd925e

SHA256
68c04e882bcde98bdca10f4e29e1d2915c60e7a4ebaef596d9a6e8e6220f2144

SHA512
b8d47fc3a5db45f2e2e31c9c60935baddb8e5cbed893e3d5e6eb03975f2d9134c09977940863b37bfbaf72313349e6a755bc736b852ac9c4d9c0117d4a86a99c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mzoo3hi0.cmdline

Filesize
349B

MD5
e58ea2b741485f2bcb6ac2feda91a6d2

SHA1
dd37d51f5b076f6edb38a086fb6170a86a3f69f5

SHA256
b707ae0765a9eb395c55f5edfc91fdb7de3a143d79e44cc58b7ad35868fd8b21

SHA512
23304f955e037e53c1f1667eaa84883f8d9f98b213352a7817ac49c54fe9e78b09d5c0a10503ee4080cc89f81d75230c46ff11b78a3a47bc6936cac457af5ecb

Download Submit
memory/380-21-0x00007FF98BCC0000-0x00007FF98C661000-memory.dmp

Filesize
9.6MB

Download
memory/380-16-0x00007FF98BCC0000-0x00007FF98C661000-memory.dmp

Filesize
9.6MB

Download
memory/1928-0-0x00007FF98BF75000-0x00007FF98BF76000-memory.dmp

Filesize
4KB

Download
memory/1928-6-0x00007FF98BCC0000-0x00007FF98C661000-memory.dmp

Filesize
9.6MB

Download
memory/1928-7-0x000000001C1F0000-0x000000001C6BE000-memory.dmp

Filesize
4.8MB

Download
memory/1928-5-0x000000001BCE0000-0x000000001BCEE000-memory.dmp

Filesize
56KB

Download
memory/1928-2-0x000000001BB00000-0x000000001BB5C000-memory.dmp

Filesize
368KB

Download
memory/1928-8-0x000000001C760000-0x000000001C7FC000-memory.dmp

Filesize
624KB

Download
memory/1928-23-0x000000001CE00000-0x000000001CE16000-memory.dmp

Filesize
88KB

Download
memory/1928-1-0x00007FF98BCC0000-0x00007FF98C661000-memory.dmp

Filesize
9.6MB

Download
memory/1928-25-0x000000001BA60000-0x000000001BA72000-memory.dmp

Filesize
72KB

Download
memory/1928-26-0x000000001B9C0000-0x000000001B9C8000-memory.dmp

Filesize
32KB

Download
memory/1928-27-0x00007FF98BCC0000-0x00007FF98C661000-memory.dmp

Filesize
9.6MB

Download
memory/1928-29-0x00007FF98BCC0000-0x00007FF98C661000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads