5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada

Analysis

max time kernel
112s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
Size

30KB
MD5

399f9d2c2f6679bfba6dce055c5e2060
SHA1

e5ef5520cebc4042ef1d103497dfdcc74b47d5da
SHA256

5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada
SHA512

aeba5f6a2cb22faf32b9a6a3883b13c2de1cba038780e015f4c567d9fa02ee4dcd3f3b7497ba409101fb3593230e611372e9e26949f00c1b62f99756e3defacb
SSDEEP

384:lZ6qKAPpQmVQIk04PjWtr7nltWYMiYNJ1wORBLVuEKniBibltumCiUoytRNcwXtQ:X6qtPpkH0nTYNJ5uE/UJtumuzXAybw

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\TsWpfWrp.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\cacls.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\finger.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\Magnify.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\mobsync.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\NETSTAT.EXE	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\psr.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\AtBroker.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\backgroundTaskHost.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\PresentationHost.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\clip.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\WWAHost.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\ddodiag.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\dxdiag.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\logman.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\SearchIndexer.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\RmClient.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\TpmInit.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\where.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\DpiScaling.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\RdpSa.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\regsvr32.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\dccw.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\mspaint.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\wecutil.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\charmap.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\cmdl32.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\reg.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\GameBarPresenceWriter.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\sdiagnhost.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\SystemUWPLauncher.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\TapiUnattend.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\dpapimig.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\mshta.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\certreq.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\gpresult.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\replace.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\help.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\OposHost.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\wevtutil.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\autofmt.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\cttunesvr.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\dialer.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\fontview.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\shrpubw.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\bootcfg.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\edpnotify.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\odbcad32.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\resmon.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\takeown.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\tasklist.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\notepad.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\splwow64.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\winhlp32.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\write.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\bfsvc.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\explorer.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\HelpPane.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
File opened for modification	C:\Windows\hh.exe	5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe

C:\Users\Admin\AppData\Local\Temp\5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe
"C:\Users\Admin\AppData\Local\Temp\5916c6638f75cf4f061d75d67974aeb495efc4f83ff78d3bba070ca81f15eada.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4752-132-0x0000000001000000-0x000000000100AB00-memory.dmp

Filesize
42KB

Download
memory/4752-133-0x0000000001000000-0x000000000100AB00-memory.dmp

Filesize
42KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads