da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408

Analysis

max time kernel
151s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 02:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408.exe
Size

129KB
MD5

669f91c91599876b8d6a30759dd14bf6
SHA1

7fd97f4ab6d0bf4245d739e08ea2606d00bfe62c
SHA256

da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408
SHA512

17ca95e0c6e2994603b720f39b3774ae362f87dce36e761963942f8f4edfd9c69e42ce2054de8ebbe5d5aa86c33a660eab00500d43bf9d064b550d613e943a5b
SSDEEP

1536:Ou0RkPB1z139BaSSAd27cwwH4EPbUVU7VA2WM/XB/5s82gYd+WA/iOiRXcrplSS:OZIB1Bj22SmVlWc5GAj/VuwyN3p

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
4076	servic.exe
2432	servic.exe
2500	servic.exe
3240	servic.exe
2304	servic.exe
1396	servic.exe
5068	servic.exe
524	servic.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\servic.exe	servic.exe
File created	C:\Windows\SysWOW64\servic.exe	servic.exe
File opened for modification	C:\Windows\SysWOW64\servic.exe	servic.exe
File created	C:\Windows\SysWOW64\servic.exe	servic.exe
File opened for modification	C:\Windows\SysWOW64\servic.exe	servic.exe
File created	C:\Windows\SysWOW64\servic.exe	servic.exe
File opened for modification	C:\Windows\SysWOW64\servic.exe	servic.exe
File created	C:\Windows\SysWOW64\servic.exe	servic.exe
File created	C:\Windows\SysWOW64\servic.exe	servic.exe
File created	C:\Windows\SysWOW64\servic.exe	da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408.exe
File opened for modification	C:\Windows\SysWOW64\servic.exe	servic.exe
File opened for modification	C:\Windows\SysWOW64\servic.exe	servic.exe
File created	C:\Windows\SysWOW64\servic.exe	servic.exe
File created	C:\Windows\SysWOW64\servic.exe	servic.exe
File created	C:\Windows\SysWOW64\servic.exe	servic.exe
File opened for modification	C:\Windows\SysWOW64\servic.exe	da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408.exe
File opened for modification	C:\Windows\SysWOW64\servic.exe	servic.exe
File opened for modification	C:\Windows\SysWOW64\servic.exe	servic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 4076	1408	da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408.exe	84
PID 1408 wrote to memory of 4076	1408	da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408.exe	84
PID 1408 wrote to memory of 4076	1408	da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408.exe	84
PID 4076 wrote to memory of 2432	4076	servic.exe	85
PID 4076 wrote to memory of 2432	4076	servic.exe	85
PID 4076 wrote to memory of 2432	4076	servic.exe	85
PID 2432 wrote to memory of 2500	2432	servic.exe	86
PID 2432 wrote to memory of 2500	2432	servic.exe	86
PID 2432 wrote to memory of 2500	2432	servic.exe	86
PID 2500 wrote to memory of 3240	2500	servic.exe	90
PID 2500 wrote to memory of 3240	2500	servic.exe	90
PID 2500 wrote to memory of 3240	2500	servic.exe	90
PID 3240 wrote to memory of 2304	3240	servic.exe	94
PID 3240 wrote to memory of 2304	3240	servic.exe	94
PID 3240 wrote to memory of 2304	3240	servic.exe	94
PID 2304 wrote to memory of 1396	2304	servic.exe	95
PID 2304 wrote to memory of 1396	2304	servic.exe	95
PID 2304 wrote to memory of 1396	2304	servic.exe	95
PID 1396 wrote to memory of 5068	1396	servic.exe	96
PID 1396 wrote to memory of 5068	1396	servic.exe	96
PID 1396 wrote to memory of 5068	1396	servic.exe	96
PID 5068 wrote to memory of 524	5068	servic.exe	97
PID 5068 wrote to memory of 524	5068	servic.exe	97
PID 5068 wrote to memory of 524	5068	servic.exe	97

C:\Users\Admin\AppData\Local\Temp\da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408.exe
"C:\Users\Admin\AppData\Local\Temp\da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\servic.exe
  C:\Windows\system32\servic.exe 1032 "C:\Users\Admin\AppData\Local\Temp\da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\servic.exe
    C:\Windows\system32\servic.exe 1152 "C:\Windows\SysWOW64\servic.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\servic.exe
      C:\Windows\system32\servic.exe 1124 "C:\Windows\SysWOW64\servic.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\SysWOW64\servic.exe
        
        C:\Windows\system32\servic.exe 1088 "C:\Windows\SysWOW64\servic.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3240
      - C:\Windows\SysWOW64\servic.exe
        
        C:\Windows\system32\servic.exe 1132 "C:\Windows\SysWOW64\servic.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\servic.exe
        
        C:\Windows\system32\servic.exe 1136 "C:\Windows\SysWOW64\servic.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\servic.exe
        
        C:\Windows\system32\servic.exe 1144 "C:\Windows\SysWOW64\servic.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\servic.exe
        
        C:\Windows\system32\servic.exe 1140 "C:\Windows\SysWOW64\servic.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\servic.exe

Filesize
129KB

MD5
669f91c91599876b8d6a30759dd14bf6

SHA1
7fd97f4ab6d0bf4245d739e08ea2606d00bfe62c

SHA256
da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408

SHA512
17ca95e0c6e2994603b720f39b3774ae362f87dce36e761963942f8f4edfd9c69e42ce2054de8ebbe5d5aa86c33a660eab00500d43bf9d064b550d613e943a5b

Download Submit
C:\Windows\SysWOW64\servic.exe

Filesize
129KB

MD5
669f91c91599876b8d6a30759dd14bf6

SHA1
7fd97f4ab6d0bf4245d739e08ea2606d00bfe62c

SHA256
da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408

SHA512
17ca95e0c6e2994603b720f39b3774ae362f87dce36e761963942f8f4edfd9c69e42ce2054de8ebbe5d5aa86c33a660eab00500d43bf9d064b550d613e943a5b

Download Submit
C:\Windows\SysWOW64\servic.exe

Filesize
129KB

MD5
669f91c91599876b8d6a30759dd14bf6

SHA1
7fd97f4ab6d0bf4245d739e08ea2606d00bfe62c

SHA256
da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408

SHA512
17ca95e0c6e2994603b720f39b3774ae362f87dce36e761963942f8f4edfd9c69e42ce2054de8ebbe5d5aa86c33a660eab00500d43bf9d064b550d613e943a5b

Download Submit
C:\Windows\SysWOW64\servic.exe

Filesize
129KB

MD5
669f91c91599876b8d6a30759dd14bf6

SHA1
7fd97f4ab6d0bf4245d739e08ea2606d00bfe62c

SHA256
da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408

SHA512
17ca95e0c6e2994603b720f39b3774ae362f87dce36e761963942f8f4edfd9c69e42ce2054de8ebbe5d5aa86c33a660eab00500d43bf9d064b550d613e943a5b

Download Submit
C:\Windows\SysWOW64\servic.exe

Filesize
129KB

MD5
669f91c91599876b8d6a30759dd14bf6

SHA1
7fd97f4ab6d0bf4245d739e08ea2606d00bfe62c

SHA256
da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408

SHA512
17ca95e0c6e2994603b720f39b3774ae362f87dce36e761963942f8f4edfd9c69e42ce2054de8ebbe5d5aa86c33a660eab00500d43bf9d064b550d613e943a5b

Download Submit
C:\Windows\SysWOW64\servic.exe

Filesize
129KB

MD5
669f91c91599876b8d6a30759dd14bf6

SHA1
7fd97f4ab6d0bf4245d739e08ea2606d00bfe62c

SHA256
da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408

SHA512
17ca95e0c6e2994603b720f39b3774ae362f87dce36e761963942f8f4edfd9c69e42ce2054de8ebbe5d5aa86c33a660eab00500d43bf9d064b550d613e943a5b

Download Submit
C:\Windows\SysWOW64\servic.exe

Filesize
129KB

MD5
669f91c91599876b8d6a30759dd14bf6

SHA1
7fd97f4ab6d0bf4245d739e08ea2606d00bfe62c

SHA256
da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408

SHA512
17ca95e0c6e2994603b720f39b3774ae362f87dce36e761963942f8f4edfd9c69e42ce2054de8ebbe5d5aa86c33a660eab00500d43bf9d064b550d613e943a5b

Download Submit
C:\Windows\SysWOW64\servic.exe

Filesize
129KB

MD5
669f91c91599876b8d6a30759dd14bf6

SHA1
7fd97f4ab6d0bf4245d739e08ea2606d00bfe62c

SHA256
da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408

SHA512
17ca95e0c6e2994603b720f39b3774ae362f87dce36e761963942f8f4edfd9c69e42ce2054de8ebbe5d5aa86c33a660eab00500d43bf9d064b550d613e943a5b

Download Submit
C:\Windows\SysWOW64\servic.exe

Filesize
129KB

MD5
669f91c91599876b8d6a30759dd14bf6

SHA1
7fd97f4ab6d0bf4245d739e08ea2606d00bfe62c

SHA256
da02a8191727466b939a995c95ea9bc20ded2a28f1688fdb010468f2485ec408

SHA512
17ca95e0c6e2994603b720f39b3774ae362f87dce36e761963942f8f4edfd9c69e42ce2054de8ebbe5d5aa86c33a660eab00500d43bf9d064b550d613e943a5b

Download Submit
memory/524-158-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1396-152-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1408-132-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1408-136-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2304-149-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2432-140-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2500-143-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3240-146-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4076-137-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5068-155-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads