4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e

General

Target

4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe
Size

903KB
MD5

1015f1daea31f089ee84fd9b084b840c
SHA1

d6eff68dd33752762abf360902e87d8462b20d75
SHA256

4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e
SHA512

f73fe0a8a9481af5532ea3332a02f7a58bad411991af06b8fcbf4eb780baf1fd8ad8790a3abfe093eb8d7c23ad6d0b3c02ab423b162daf82354a2039a9346bb7
SSDEEP

12288:X8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvBs:s3s4MROxnF9LqrZlI0AilFEvxHiGo

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe
File opened for modification	C:\Windows\assembly	4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 2212	3544	4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe	83
PID 3544 wrote to memory of 2212	3544	4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe	83
PID 2212 wrote to memory of 408	2212	csc.exe	85
PID 2212 wrote to memory of 408	2212	csc.exe	85

C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe
"C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cicqfncx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB68.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFB67.tmp"
    3⤵
    PID:408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFB68.tmp

Filesize
1KB

MD5
dce1f346a5689edad78b9bacc51da97f

SHA1
8f186ca039fb6138cd4f638422db8f9fe59ca181

SHA256
5947f0d4f09a30e8f15a8b4814a2b72549e4e348256e495c60da8212d7cbfe18

SHA512
f9545b10a97e928e1d83242303827d0337222b5d0411985cc1c95d65ab2156e2b3dba7f4361c330b52516d80d2ea8970039c96caa802c1f48ec32cae7ac9fc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\cicqfncx.dll

Filesize
76KB

MD5
fb9793bd8f7f39fa4c6547b3d68bbb48

SHA1
6587951cbeb9766911306a2f1b46b90f2ad28f70

SHA256
8ad44447e6f60ba4fb34b587936d56608fce83e8b7951f9feff1488192df3f53

SHA512
6d5d4dc6cf74e94c3f73bbee6a234704198a03232a3e20887ab20cfb4efd2b547f944b1e4df4f58f7720b9eed4a21636ea2a1a2633bc64a5d67d661e10e81492

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFB67.tmp

Filesize
676B

MD5
19ea4a6c3c320f343a0307297b96f7fe

SHA1
2a0d07d0752a8aed2c1474cb5cbe49bf5900d1af

SHA256
22a2124168ac20074f68b60a477a147fd61bc274a5bd479177ea9074642e7065

SHA512
9bd660a9b9bbda30ad06018abce95f3f6977b734d8db87cccffaecaf1313e45d91f1620d1c5014486bc34a1a81157d8928f2aa9b1780e53635dd42b2bef25a76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cicqfncx.0.cs

Filesize
208KB

MD5
57f0d56fe55220433d23651cf2ba66e3

SHA1
581a45ad54bb4c5bd50fad86a26824bc60b0e834

SHA256
de983c110f8aaf7f7049514cd3dd908292d0b7f18ae274cdcecaa1e3db708ff5

SHA512
d54196f3de01924b5d625ab5de8d6d8809211935461509b13043b618b746a99a45c9d0945dc0ca5d8b9250142f5dea9761224b1fa14bc79e83df8c5f8b85b01d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cicqfncx.cmdline

Filesize
349B

MD5
237b0973176275801227e53857e168eb

SHA1
053168a04eca46c7ed2d0fbede5fcde5ecf9a787

SHA256
f4d8f31c5155185ba087780eed3fcf3a1b6b33a7b5f3da9010c5a2f88dfea821

SHA512
63cef8c2ec7a1bcfba32b2c52101b62c131c57f7a2e63d9b1a5d406329cb2fec3db16198cc8346a69c2753e12adf3bedcb89a31c2cb2591cbcdf0dfdc039db52

Download Submit
memory/2212-21-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp

Filesize
9.6MB

Download
memory/2212-16-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp

Filesize
9.6MB

Download
memory/3544-1-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp

Filesize
9.6MB

Download
memory/3544-0-0x00007FFCD4515000-0x00007FFCD4516000-memory.dmp

Filesize
4KB

Download
memory/3544-7-0x000000001C210000-0x000000001C6DE000-memory.dmp

Filesize
4.8MB

Download
memory/3544-5-0x000000001BC10000-0x000000001BC1E000-memory.dmp

Filesize
56KB

Download
memory/3544-2-0x000000001BA30000-0x000000001BA8C000-memory.dmp

Filesize
368KB

Download
memory/3544-8-0x000000001C6E0000-0x000000001C77C000-memory.dmp

Filesize
624KB

Download
memory/3544-6-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp

Filesize
9.6MB

Download
memory/3544-23-0x000000001BCF0000-0x000000001BD06000-memory.dmp

Filesize
88KB

Download
memory/3544-25-0x00000000014A0000-0x00000000014B2000-memory.dmp

Filesize
72KB

Download
memory/3544-26-0x0000000001300000-0x0000000001308000-memory.dmp

Filesize
32KB

Download
memory/3544-27-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp

Filesize
9.6MB

Download
memory/3544-29-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads