d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77

Analysis

max time kernel
191s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 18:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
Size

411KB
MD5

05d41c4df0f2cf1545166bad4a3573a0
SHA1

7b20ed3b4d20f41f7ce61dda618256730b450f48
SHA256

d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77
SHA512

ec5e722f0f99ed91c0b64b391d6d9b68de0453eaefd20efc89c69af0c00d93fe542f72a17c59f62c09e9149a7e1dddb2faa5403e98ccb74579ca4665cb3d0217
SSDEEP

12288:UXeKNAQrZl3m+r4NIrOf6Wa0P1zICmfhWPOVfG:UOK+i8+rSyjyOJWPOV

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\psr.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\rekeywiz.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\timeout.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\tttracer.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\ipconfig.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\NETSTAT.EXE	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\tzutil.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\prevhost.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\print.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\secinit.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\sort.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\WerFaultSecure.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\LaunchTM.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\mcbuilder.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\net.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\shrpubw.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\icsunattend.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\UserAccountBroker.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\fontdrvhost.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\shutdown.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\srdelayed.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\autofmt.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\chkdsk.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\wiaacmgr.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\TSTheme.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\BackgroundTransferHost.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\label.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\ntprint.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\sethc.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\curl.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\mmgaserver.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\winrshost.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\UserAccountControlSettings.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\credwiz.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\replace.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\RpcPing.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\iexpress.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\mountvol.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\ARP.EXE	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\control.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\fsutil.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\SettingSyncHost.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\user.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\cmdl32.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\OposHost.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_isv.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\DevicePairingWizard.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\dtdump.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\gpscript.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\sxstrace.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\SysWOW64\CameraSettingsUIHost.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bfsvc.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\explorer.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\HelpPane.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\hh.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\notepad.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\splwow64.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\winhlp32.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
File opened for modification	C:\Windows\write.exe	d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe

C:\Users\Admin\AppData\Local\Temp\d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe
"C:\Users\Admin\AppData\Local\Temp\d77c953632c82ca8b64082ac0e9ef41735a3524c6a1313f03814acdb0877ff77.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4168-132-0x000000000F000000-0x000000000F0A7B00-memory.dmp

Filesize
670KB

Download
memory/4168-133-0x000000000F000000-0x000000000F0A7B00-memory.dmp

Filesize
670KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads