018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256

Analysis

max time kernel
139s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256.exe
Size

202KB
MD5

a4a4b85ffc87e7cf5cb34ca78b280dce
SHA1

80cb691cf04d5bfd5ad775ce57803aa7e5b58ee1
SHA256

018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256
SHA512

a9fefe2115b9ef7ba18d0b0584c518680e67c274278cb9dc76253d36b65711e02c95fecefc88c6498331b4d81a303ad8953a7b764ed89b5e562a2c96cd209b9e

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

openssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exe

pid	process
4464	openssl32.exe
888	openssl32.exe
2372	openssl32.exe
2656	openssl32.exe
1536	openssl32.exe
3648	openssl32.exe
3416	openssl32.exe
1256	openssl32.exe
3328	openssl32.exe
2348	openssl32.exe

Drops file in System32 directory 22 IoCs

Processes:

openssl32.exeopenssl32.exeopenssl32.exeopenssl32.exe018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File created	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File opened for modification	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File opened for modification	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File created	C:\Windows\SysWOW64\openssl32.exe	018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256.exe
File created	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File opened for modification	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File created	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File opened for modification	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File created	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File opened for modification	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File opened for modification	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File opened for modification	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File created	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File created	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File opened for modification	C:\Windows\SysWOW64\openssl32.exe	018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256.exe
File opened for modification	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File opened for modification	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File opened for modification	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File created	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File created	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe
File created	C:\Windows\SysWOW64\openssl32.exe	openssl32.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exeopenssl32.exe

description	pid	process	target process
PID 404 wrote to memory of 4464	404	018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256.exe	openssl32.exe
PID 404 wrote to memory of 4464	404	018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256.exe	openssl32.exe
PID 404 wrote to memory of 4464	404	018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256.exe	openssl32.exe
PID 4464 wrote to memory of 888	4464	openssl32.exe	openssl32.exe
PID 4464 wrote to memory of 888	4464	openssl32.exe	openssl32.exe
PID 4464 wrote to memory of 888	4464	openssl32.exe	openssl32.exe
PID 888 wrote to memory of 2372	888	openssl32.exe	openssl32.exe
PID 888 wrote to memory of 2372	888	openssl32.exe	openssl32.exe
PID 888 wrote to memory of 2372	888	openssl32.exe	openssl32.exe
PID 2372 wrote to memory of 2656	2372	openssl32.exe	openssl32.exe
PID 2372 wrote to memory of 2656	2372	openssl32.exe	openssl32.exe
PID 2372 wrote to memory of 2656	2372	openssl32.exe	openssl32.exe
PID 2656 wrote to memory of 1536	2656	openssl32.exe	openssl32.exe
PID 2656 wrote to memory of 1536	2656	openssl32.exe	openssl32.exe
PID 2656 wrote to memory of 1536	2656	openssl32.exe	openssl32.exe
PID 1536 wrote to memory of 3648	1536	openssl32.exe	openssl32.exe
PID 1536 wrote to memory of 3648	1536	openssl32.exe	openssl32.exe
PID 1536 wrote to memory of 3648	1536	openssl32.exe	openssl32.exe
PID 3648 wrote to memory of 3416	3648	openssl32.exe	openssl32.exe
PID 3648 wrote to memory of 3416	3648	openssl32.exe	openssl32.exe
PID 3648 wrote to memory of 3416	3648	openssl32.exe	openssl32.exe
PID 3416 wrote to memory of 1256	3416	openssl32.exe	openssl32.exe
PID 3416 wrote to memory of 1256	3416	openssl32.exe	openssl32.exe
PID 3416 wrote to memory of 1256	3416	openssl32.exe	openssl32.exe
PID 1256 wrote to memory of 3328	1256	openssl32.exe	openssl32.exe
PID 1256 wrote to memory of 3328	1256	openssl32.exe	openssl32.exe
PID 1256 wrote to memory of 3328	1256	openssl32.exe	openssl32.exe
PID 3328 wrote to memory of 2348	3328	openssl32.exe	openssl32.exe
PID 3328 wrote to memory of 2348	3328	openssl32.exe	openssl32.exe
PID 3328 wrote to memory of 2348	3328	openssl32.exe	openssl32.exe

C:\Users\Admin\AppData\Local\Temp\018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256.exe
"C:\Users\Admin\AppData\Local\Temp\018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\openssl32.exe
C:\Windows\system32\openssl32.exe 1076 "C:\Users\Admin\AppData\Local\Temp\018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\openssl32.exe
C:\Windows\system32\openssl32.exe 1192 "C:\Windows\SysWOW64\openssl32.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\openssl32.exe
C:\Windows\system32\openssl32.exe 1168 "C:\Windows\SysWOW64\openssl32.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\openssl32.exe
C:\Windows\system32\openssl32.exe 1160 "C:\Windows\SysWOW64\openssl32.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\openssl32.exe
C:\Windows\system32\openssl32.exe 1176 "C:\Windows\SysWOW64\openssl32.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\openssl32.exe
C:\Windows\system32\openssl32.exe 1164 "C:\Windows\SysWOW64\openssl32.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\SysWOW64\openssl32.exe
C:\Windows\system32\openssl32.exe 1180 "C:\Windows\SysWOW64\openssl32.exe"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\openssl32.exe
C:\Windows\system32\openssl32.exe 1172 "C:\Windows\SysWOW64\openssl32.exe"
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\openssl32.exe
C:\Windows\system32\openssl32.exe 1188 "C:\Windows\SysWOW64\openssl32.exe"
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\openssl32.exe
C:\Windows\system32\openssl32.exe 1108 "C:\Windows\SysWOW64\openssl32.exe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\openssl32.exe
Filesize
202KB

MD5
a4a4b85ffc87e7cf5cb34ca78b280dce

SHA1
80cb691cf04d5bfd5ad775ce57803aa7e5b58ee1

SHA256
018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256

SHA512
a9fefe2115b9ef7ba18d0b0584c518680e67c274278cb9dc76253d36b65711e02c95fecefc88c6498331b4d81a303ad8953a7b764ed89b5e562a2c96cd209b9e

Download Submit
C:\Windows\SysWOW64\openssl32.exe
Filesize
202KB

MD5
a4a4b85ffc87e7cf5cb34ca78b280dce

SHA1
80cb691cf04d5bfd5ad775ce57803aa7e5b58ee1

SHA256
018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256

SHA512
a9fefe2115b9ef7ba18d0b0584c518680e67c274278cb9dc76253d36b65711e02c95fecefc88c6498331b4d81a303ad8953a7b764ed89b5e562a2c96cd209b9e

Download Submit
C:\Windows\SysWOW64\openssl32.exe
Filesize
202KB

MD5
a4a4b85ffc87e7cf5cb34ca78b280dce

SHA1
80cb691cf04d5bfd5ad775ce57803aa7e5b58ee1

SHA256
018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256

SHA512
a9fefe2115b9ef7ba18d0b0584c518680e67c274278cb9dc76253d36b65711e02c95fecefc88c6498331b4d81a303ad8953a7b764ed89b5e562a2c96cd209b9e

Download Submit
C:\Windows\SysWOW64\openssl32.exe
Filesize
202KB

MD5
a4a4b85ffc87e7cf5cb34ca78b280dce

SHA1
80cb691cf04d5bfd5ad775ce57803aa7e5b58ee1

SHA256
018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256

SHA512
a9fefe2115b9ef7ba18d0b0584c518680e67c274278cb9dc76253d36b65711e02c95fecefc88c6498331b4d81a303ad8953a7b764ed89b5e562a2c96cd209b9e

Download Submit
C:\Windows\SysWOW64\openssl32.exe
Filesize
202KB

MD5
a4a4b85ffc87e7cf5cb34ca78b280dce

SHA1
80cb691cf04d5bfd5ad775ce57803aa7e5b58ee1

SHA256
018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256

SHA512
a9fefe2115b9ef7ba18d0b0584c518680e67c274278cb9dc76253d36b65711e02c95fecefc88c6498331b4d81a303ad8953a7b764ed89b5e562a2c96cd209b9e

Download Submit
C:\Windows\SysWOW64\openssl32.exe
Filesize
202KB

MD5
a4a4b85ffc87e7cf5cb34ca78b280dce

SHA1
80cb691cf04d5bfd5ad775ce57803aa7e5b58ee1

SHA256
018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256

SHA512
a9fefe2115b9ef7ba18d0b0584c518680e67c274278cb9dc76253d36b65711e02c95fecefc88c6498331b4d81a303ad8953a7b764ed89b5e562a2c96cd209b9e

Download Submit
C:\Windows\SysWOW64\openssl32.exe
Filesize
202KB

MD5
a4a4b85ffc87e7cf5cb34ca78b280dce

SHA1
80cb691cf04d5bfd5ad775ce57803aa7e5b58ee1

SHA256
018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256

SHA512
a9fefe2115b9ef7ba18d0b0584c518680e67c274278cb9dc76253d36b65711e02c95fecefc88c6498331b4d81a303ad8953a7b764ed89b5e562a2c96cd209b9e

Download Submit
C:\Windows\SysWOW64\openssl32.exe
Filesize
202KB

MD5
a4a4b85ffc87e7cf5cb34ca78b280dce

SHA1
80cb691cf04d5bfd5ad775ce57803aa7e5b58ee1

SHA256
018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256

SHA512
a9fefe2115b9ef7ba18d0b0584c518680e67c274278cb9dc76253d36b65711e02c95fecefc88c6498331b4d81a303ad8953a7b764ed89b5e562a2c96cd209b9e

Download Submit
C:\Windows\SysWOW64\openssl32.exe
Filesize
202KB

MD5
a4a4b85ffc87e7cf5cb34ca78b280dce

SHA1
80cb691cf04d5bfd5ad775ce57803aa7e5b58ee1

SHA256
018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256

SHA512
a9fefe2115b9ef7ba18d0b0584c518680e67c274278cb9dc76253d36b65711e02c95fecefc88c6498331b4d81a303ad8953a7b764ed89b5e562a2c96cd209b9e

Download Submit
C:\Windows\SysWOW64\openssl32.exe
Filesize
202KB

MD5
a4a4b85ffc87e7cf5cb34ca78b280dce

SHA1
80cb691cf04d5bfd5ad775ce57803aa7e5b58ee1

SHA256
018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256

SHA512
a9fefe2115b9ef7ba18d0b0584c518680e67c274278cb9dc76253d36b65711e02c95fecefc88c6498331b4d81a303ad8953a7b764ed89b5e562a2c96cd209b9e

Download Submit
C:\Windows\SysWOW64\openssl32.exe
Filesize
202KB

MD5
a4a4b85ffc87e7cf5cb34ca78b280dce

SHA1
80cb691cf04d5bfd5ad775ce57803aa7e5b58ee1

SHA256
018aeefb70244e918357b06f0c38a5be207ac1bf27c2601452bd72cc098a4256

SHA512
a9fefe2115b9ef7ba18d0b0584c518680e67c274278cb9dc76253d36b65711e02c95fecefc88c6498331b4d81a303ad8953a7b764ed89b5e562a2c96cd209b9e

Download Submit
memory/404-130-0x0000000000930000-0x000000000096A000-memory.dmp

Filesize
232KB

Download
memory/888-137-0x0000000000560000-0x000000000059A000-memory.dmp

Filesize
232KB

Download
memory/888-135-0x0000000000000000-mapping.dmp

Download
memory/1256-155-0x0000000000650000-0x000000000068A000-memory.dmp

Filesize
232KB

Download
memory/1256-153-0x0000000000000000-mapping.dmp

Download
memory/1536-146-0x0000000000930000-0x000000000096A000-memory.dmp

Filesize
232KB

Download
memory/1536-144-0x0000000000000000-mapping.dmp

Download
memory/2348-161-0x0000000000620000-0x000000000065A000-memory.dmp

Filesize
232KB

Download
memory/2348-159-0x0000000000000000-mapping.dmp

Download
memory/2372-140-0x0000000000950000-0x000000000098A000-memory.dmp

Filesize
232KB

Download
memory/2372-138-0x0000000000000000-mapping.dmp

Download
memory/2656-143-0x0000000000980000-0x00000000009BA000-memory.dmp

Filesize
232KB

Download
memory/2656-141-0x0000000000000000-mapping.dmp

Download
memory/3328-156-0x0000000000000000-mapping.dmp

Download
memory/3328-158-0x0000000000810000-0x000000000084A000-memory.dmp

Filesize
232KB

Download
memory/3416-152-0x0000000000630000-0x000000000066A000-memory.dmp

Filesize
232KB

Download
memory/3416-150-0x0000000000000000-mapping.dmp

Download
memory/3648-147-0x0000000000000000-mapping.dmp

Download
memory/3648-149-0x0000000000730000-0x000000000076A000-memory.dmp

Filesize
232KB

Download
memory/4464-134-0x0000000000700000-0x000000000073A000-memory.dmp

Filesize
232KB

Download
memory/4464-131-0x0000000000000000-mapping.dmp

Download