c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

Analysis

max time kernel
168s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2.exe
Size

231KB
MD5

502386f865d9dc70f8456731e9ef3071
SHA1

3e3b62538cb5f40ec87604bb19a30f8c3362c87d
SHA256

c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2
SHA512

c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c
SSDEEP

6144:W2xOvH69Pu2EQksD6GW3UDe1JhbI2IzEl:XOva9WlQksNW3RJpczw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
4812	tasklist32.exe
3564	tasklist32.exe
1100	tasklist32.exe
3892	tasklist32.exe
4516	tasklist32.exe
3392	tasklist32.exe
5004	tasklist32.exe
4228	tasklist32.exe
768	tasklist32.exe
2292	tasklist32.exe
2928	tasklist32.exe
3488	tasklist32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\tasklist32.exe	c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2.exe
File opened for modification	\??\c:\windows\SysWOW64\tasklist32.exe	c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4804	c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2.exe
4812	tasklist32.exe
3564	tasklist32.exe
1100	tasklist32.exe
3892	tasklist32.exe
4516	tasklist32.exe
3392	tasklist32.exe
5004	tasklist32.exe
4228	tasklist32.exe
768	tasklist32.exe
2292	tasklist32.exe
2928	tasklist32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4812	4804	c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2.exe	81
PID 4804 wrote to memory of 4812	4804	c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2.exe	81
PID 4804 wrote to memory of 4812	4804	c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2.exe	81
PID 4812 wrote to memory of 3564	4812	tasklist32.exe	83
PID 4812 wrote to memory of 3564	4812	tasklist32.exe	83
PID 4812 wrote to memory of 3564	4812	tasklist32.exe	83
PID 3564 wrote to memory of 1100	3564	tasklist32.exe	84
PID 3564 wrote to memory of 1100	3564	tasklist32.exe	84
PID 3564 wrote to memory of 1100	3564	tasklist32.exe	84
PID 1100 wrote to memory of 3892	1100	tasklist32.exe	85
PID 1100 wrote to memory of 3892	1100	tasklist32.exe	85
PID 1100 wrote to memory of 3892	1100	tasklist32.exe	85
PID 3892 wrote to memory of 4516	3892	tasklist32.exe	86
PID 3892 wrote to memory of 4516	3892	tasklist32.exe	86
PID 3892 wrote to memory of 4516	3892	tasklist32.exe	86
PID 4516 wrote to memory of 3392	4516	tasklist32.exe	87
PID 4516 wrote to memory of 3392	4516	tasklist32.exe	87
PID 4516 wrote to memory of 3392	4516	tasklist32.exe	87
PID 3392 wrote to memory of 5004	3392	tasklist32.exe	88
PID 3392 wrote to memory of 5004	3392	tasklist32.exe	88
PID 3392 wrote to memory of 5004	3392	tasklist32.exe	88
PID 5004 wrote to memory of 4228	5004	tasklist32.exe	95
PID 5004 wrote to memory of 4228	5004	tasklist32.exe	95
PID 5004 wrote to memory of 4228	5004	tasklist32.exe	95
PID 4228 wrote to memory of 768	4228	tasklist32.exe	96
PID 4228 wrote to memory of 768	4228	tasklist32.exe	96
PID 4228 wrote to memory of 768	4228	tasklist32.exe	96
PID 768 wrote to memory of 2292	768	tasklist32.exe	97
PID 768 wrote to memory of 2292	768	tasklist32.exe	97
PID 768 wrote to memory of 2292	768	tasklist32.exe	97
PID 2292 wrote to memory of 2928	2292	tasklist32.exe	98
PID 2292 wrote to memory of 2928	2292	tasklist32.exe	98
PID 2292 wrote to memory of 2928	2292	tasklist32.exe	98
PID 2928 wrote to memory of 3488	2928	tasklist32.exe	99
PID 2928 wrote to memory of 3488	2928	tasklist32.exe	99
PID 2928 wrote to memory of 3488	2928	tasklist32.exe	99

C:\Users\Admin\AppData\Local\Temp\c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2.exe
"C:\Users\Admin\AppData\Local\Temp\c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804
- \??\c:\windows\SysWOW64\tasklist32.exe
  c:\windows\system32\tasklist32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4812
- - \??\c:\windows\SysWOW64\tasklist32.exe
    c:\windows\system32\tasklist32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - \??\c:\windows\SysWOW64\tasklist32.exe
      c:\windows\system32\tasklist32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1100
    - - \??\c:\windows\SysWOW64\tasklist32.exe
        
        c:\windows\system32\tasklist32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3892
      - \??\c:\windows\SysWOW64\tasklist32.exe
        
        c:\windows\system32\tasklist32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        \??\c:\windows\SysWOW64\tasklist32.exe
        
        c:\windows\system32\tasklist32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        \??\c:\windows\SysWOW64\tasklist32.exe
        
        c:\windows\system32\tasklist32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        \??\c:\windows\SysWOW64\tasklist32.exe
        
        c:\windows\system32\tasklist32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        \??\c:\windows\SysWOW64\tasklist32.exe
        
        c:\windows\system32\tasklist32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        \??\c:\windows\SysWOW64\tasklist32.exe
        
        c:\windows\system32\tasklist32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        \??\c:\windows\SysWOW64\tasklist32.exe
        
        c:\windows\system32\tasklist32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        \??\c:\windows\SysWOW64\tasklist32.exe
        
        c:\windows\system32\tasklist32.exe
        13⤵
        Executes dropped EXE
        
        PID:3488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
C:\Windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
C:\Windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
C:\Windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
C:\Windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
C:\Windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
C:\Windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
C:\Windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
C:\Windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
C:\Windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
C:\Windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
C:\Windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
\??\c:\windows\SysWOW64\tasklist32.exe

Filesize
231KB

MD5
502386f865d9dc70f8456731e9ef3071

SHA1
3e3b62538cb5f40ec87604bb19a30f8c3362c87d

SHA256
c621067f20e7974dc787909a1dd44e4af63ef5a3b539d61a81c2e87b8cf90bd2

SHA512
c7354bcb8d73adab817fab530920b6bd9df9ccd12f8c5f1b2246509f49e24f203325560c3166411d595788dbeac8c879e712c60d15bb17b67d0c2786ac88214c

Download Submit
memory/768-184-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/1100-154-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/2292-189-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/2928-195-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/3392-169-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/3488-194-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/3564-149-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/3892-159-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/4228-179-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/4516-164-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/4804-138-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/4804-139-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/4804-132-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/4812-144-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download
memory/5004-174-0x0000000000400000-0x0000000000821674-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads