444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd

Analysis

max time kernel
87s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
Size

85KB
MD5

6350e4af58af493f3b2e26e5f37f70f0
SHA1

1f62a13a7995a52f487758838b8d8d24e97da663
SHA256

444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd
SHA512

a294ef405fb0d64f5122ca9bed8d7a1b49b92f6f0f18f33f9cc7d94c8044be76f2ea675c81ff5ea6e04f16d450a403c5e9d3b517e1806da5a431fdaf7bd5f293
SSDEEP

1536:uDmAunwi6bNSiWrtpz0m3B+XoU+kOjxHWABdhmgSc:yzunwoiezDR+Xp+kONbmgS

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\backgroundTaskHost.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\cmstp.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\find.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\proquota.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\cmmon32.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\credwiz.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\iexpress.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\ipconfig.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\calc.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\msdt.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\rasphone.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\RdpSaProxy.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\runonce.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\setx.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\convert.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\GameBarPresenceWriter.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\InputSwitchToastHandler.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\LaunchWinApp.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\sethc.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\cmdkey.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\GamePanel.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\NETSTAT.EXE	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\SystemUWPLauncher.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\TCPSVCS.EXE	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\msiexec.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\PackagedCWALauncher.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\dxdiag.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\Utilman.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\icsunattend.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\write.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\chkntfs.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\HOSTNAME.EXE	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\TpmInit.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\cipher.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\DevicePairingWizard.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\makecab.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\printui.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\AtBroker.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\netbtugc.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\PkgMgr.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\systeminfo.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\gpupdate.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\ntprint.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\rasdial.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\xwizard.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\ComputerDefaults.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\mstsc.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\provlaunch.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\upnpcont.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_isv.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\certreq.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\chkdsk.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\SysWOW64\CloudNotifications.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\splwow64.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\winhlp32.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\write.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\bfsvc.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\explorer.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\HelpPane.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\hh.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
File opened for modification	C:\Windows\notepad.exe	444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1772	4808	WerFault.exe	83

C:\Users\Admin\AppData\Local\Temp\444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe
"C:\Users\Admin\AppData\Local\Temp\444df24d2c21ddd4d1bdea058af842cb0312d50edf5a66ad4ad3c28f30cfadfd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 500
  2⤵
  - Program crash
  PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4808 -ip 4808
1⤵
PID:1988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4808-132-0x0000000001800000-0x000000000181CB00-memory.dmp

Filesize
114KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads