d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165

Analysis

max time kernel
22s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
Size

156KB
MD5

329b86085bd0058ad41bfa621ec84ab8
SHA1

f32a2286a4a4914ed5c5f6aa6ddc0a7205f8fab4
SHA256

d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165
SHA512

7085c83dd2ec522095322f432b3530790bc6ea5eaa3e0afb56aed83dad6ed5c63d7719f35653586e26fb1fb85447bbea8181a52cdf002de5b9d751cb78f6d8f6
SSDEEP

3072:7V3Lvhd2FbXWoO6rUSEPNWrnWA8/3CIOezrHZkTTDTE8gO:B7vhd2s1TSE1Wrnx8/keznO

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rrinstaller.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\SetIEInstalledDate.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\cmmon32.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\dplaysvr.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\icsunattend.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\user.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\findstr.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\dxdiag.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\pcaui.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\PING.EXE	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\winrs.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\hh.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\mcbuilder.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\ntoskrnl.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\calc.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\fc.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\wevtutil.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\print.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\dpnsvr.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\powercfg.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\msdt.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\psr.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\cttune.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\finger.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\Magnify.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\netsh.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\rdrleakdiag.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\sethc.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\syskey.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\Dism.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\makecab.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\netiougc.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\SearchIndexer.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\mountvol.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\ntkrnlpa.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\chkdsk.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\driverquery.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\efsui.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\replace.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\choice.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\cliconfg.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\expand.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\DisplaySwitch.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\sxstrace.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\systray.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\wininit.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\ComputerDefaults.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\DeviceProperties.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\PATHPING.EXE	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\cleanmgr.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\MRINFO.EXE	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\TRACERT.EXE	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\SysWOW64\dccw.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pss\system.ini.backup	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\pss\win.ini.backup	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File created	C:\Windows\pss\win.ini.backup	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\system.ini	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\ehome\mcspad.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\hh.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\notepad.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\twunk_32.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\win.ini	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\ehome\ehshell.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File opened for modification	C:\Windows\ehome\mcupdate.exe	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
File created	C:\Windows\pss\system.ini.backup	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2004	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2004	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
2004	d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe

C:\Users\Admin\AppData\Local\Temp\d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe
"C:\Users\Admin\AppData\Local\Temp\d744e3c3e43a525f220220783d4519069c31ade0dcd688b2e3e1b80ae389c165.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download