Analysis
-
max time kernel
112s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 03:25
Static task
static1
Behavioral task
behavioral1
Sample
2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exe
Resource
win10v2004-20220414-en
General
-
Target
2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exe
-
Size
686KB
-
MD5
0e782f5f57876f5e1cab16e0d8afb69f
-
SHA1
cbe4910fba99d721710f836bef90ae05e8879e50
-
SHA256
2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22
-
SHA512
e62403d005e46a1632ae52ef4206a974ee20b4143df35272c80853788bb7bd1b4f660f8e8dc2a3cf48afffc28afceecc6987c46464c0eb7bcbe264ad79ac535d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
windate.exepid process 4632 windate.exe -
NTFS ADS 1 IoCs
Processes:
2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\windate\windate.exe:ZoneIdentifier 2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exepid process 2108 2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exe 2108 2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exedescription pid process target process PID 2108 wrote to memory of 4632 2108 2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exe windate.exe PID 2108 wrote to memory of 4632 2108 2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exe windate.exe PID 2108 wrote to memory of 4632 2108 2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exe windate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exe"C:\Users\Admin\AppData\Local\Temp\2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22.exe"1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windate\windate.exe"C:\Users\Admin\AppData\Roaming\windate\windate.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\windate\windate.exeFilesize
686KB
MD50e782f5f57876f5e1cab16e0d8afb69f
SHA1cbe4910fba99d721710f836bef90ae05e8879e50
SHA2562eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22
SHA512e62403d005e46a1632ae52ef4206a974ee20b4143df35272c80853788bb7bd1b4f660f8e8dc2a3cf48afffc28afceecc6987c46464c0eb7bcbe264ad79ac535d
-
C:\Users\Admin\AppData\Roaming\windate\windate.exeFilesize
686KB
MD50e782f5f57876f5e1cab16e0d8afb69f
SHA1cbe4910fba99d721710f836bef90ae05e8879e50
SHA2562eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22
SHA512e62403d005e46a1632ae52ef4206a974ee20b4143df35272c80853788bb7bd1b4f660f8e8dc2a3cf48afffc28afceecc6987c46464c0eb7bcbe264ad79ac535d
-
memory/2108-130-0x00000000022F0000-0x0000000002332000-memory.dmpFilesize
264KB
-
memory/2108-131-0x0000000000400000-0x000000000054D000-memory.dmpFilesize
1.3MB
-
memory/2108-132-0x0000000000400000-0x000000000054D000-memory.dmpFilesize
1.3MB
-
memory/4632-133-0x0000000000000000-mapping.dmp
-
memory/4632-136-0x00000000021D0000-0x0000000002212000-memory.dmpFilesize
264KB