Analysis
-
max time kernel
173s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 03:25
Static task
static1
Behavioral task
behavioral1
Sample
PFI_9077_765_2020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PFI_9077_765_2020.exe
Resource
win10v2004-20220414-en
General
-
Target
PFI_9077_765_2020.exe
-
Size
686KB
-
MD5
0e782f5f57876f5e1cab16e0d8afb69f
-
SHA1
cbe4910fba99d721710f836bef90ae05e8879e50
-
SHA256
2eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22
-
SHA512
e62403d005e46a1632ae52ef4206a974ee20b4143df35272c80853788bb7bd1b4f660f8e8dc2a3cf48afffc28afceecc6987c46464c0eb7bcbe264ad79ac535d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
windate.exepid process 616 windate.exe -
NTFS ADS 1 IoCs
Processes:
PFI_9077_765_2020.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\windate\windate.exe:ZoneIdentifier PFI_9077_765_2020.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PFI_9077_765_2020.exepid process 4828 PFI_9077_765_2020.exe 4828 PFI_9077_765_2020.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
PFI_9077_765_2020.exedescription pid process target process PID 4828 wrote to memory of 616 4828 PFI_9077_765_2020.exe windate.exe PID 4828 wrote to memory of 616 4828 PFI_9077_765_2020.exe windate.exe PID 4828 wrote to memory of 616 4828 PFI_9077_765_2020.exe windate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PFI_9077_765_2020.exe"C:\Users\Admin\AppData\Local\Temp\PFI_9077_765_2020.exe"1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windate\windate.exe"C:\Users\Admin\AppData\Roaming\windate\windate.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\windate\windate.exeFilesize
686KB
MD50e782f5f57876f5e1cab16e0d8afb69f
SHA1cbe4910fba99d721710f836bef90ae05e8879e50
SHA2562eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22
SHA512e62403d005e46a1632ae52ef4206a974ee20b4143df35272c80853788bb7bd1b4f660f8e8dc2a3cf48afffc28afceecc6987c46464c0eb7bcbe264ad79ac535d
-
C:\Users\Admin\AppData\Roaming\windate\windate.exeFilesize
686KB
MD50e782f5f57876f5e1cab16e0d8afb69f
SHA1cbe4910fba99d721710f836bef90ae05e8879e50
SHA2562eff10c6153ea10cba3b0719f4526c474236e255ca55ed74f97809445e0a1c22
SHA512e62403d005e46a1632ae52ef4206a974ee20b4143df35272c80853788bb7bd1b4f660f8e8dc2a3cf48afffc28afceecc6987c46464c0eb7bcbe264ad79ac535d
-
memory/616-133-0x0000000000000000-mapping.dmp
-
memory/616-136-0x00000000021E0000-0x0000000002222000-memory.dmpFilesize
264KB
-
memory/4828-130-0x0000000002320000-0x0000000002362000-memory.dmpFilesize
264KB
-
memory/4828-131-0x0000000000400000-0x000000000054D000-memory.dmpFilesize
1.3MB
-
memory/4828-132-0x0000000000400000-0x000000000054D000-memory.dmpFilesize
1.3MB