c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
Size

15KB
MD5

5cf4085fc67f51b63b64a5e3eb17bce0
SHA1

48e868b55e611d5a6aeddd9305332abca74a419c
SHA256

c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8
SHA512

4fa230a44c259476354bb02fb620b3a4871b400381ee96ab013abf45e762cabf9cdfda4406c8dd8231877282a601156f85fcfb2c0f24039c86a12ccc00527bf5
SSDEEP

384:IDw20Y+Qi0d+jLJo+LCLq9yQBFUnSXWOCWq+WHdx:Is201O+jN/CLtQBySaWqX

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cleanmgr.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\cttunesvr.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\gpupdate.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\wowreg32.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\DisplaySwitch.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\DpiScaling.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\hdwwiz.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\print.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\takeown.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\Utilman.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\DeviceProperties.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\unregmp2.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\cmmon32.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\pcaui.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\rdrleakdiag.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\TpmInit.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\verifier.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\WSManHTTPConfig.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\wermgr.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\winrs.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\dccw.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\dllhost.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\MigAutoPlay.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\runas.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\secinit.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\doskey.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\rasphone.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\SearchProtocolHost.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\waitfor.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\rasautou.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\tzutil.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\wininit.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\ReAgentc.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\SyncHost.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\wimserv.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\RmClient.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\attrib.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\dpapimig.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\gpresult.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\shutdown.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\TsWpfWrp.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\dialer.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\LocationNotifications.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\SecEdit.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\sfc.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\TRACERT.EXE	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\SysWOW64\diskraid.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\HelpPane.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\notepad.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\splwow64.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\twunk_16.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\winhlp32.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\explorer.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\fveupdate.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\hh.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\twunk_32.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\write.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
File opened for modification	C:\Windows\bfsvc.exe	c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe

C:\Users\Admin\AppData\Local\Temp\c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe
"C:\Users\Admin\AppData\Local\Temp\c987f8d54f943adf1d150a77c5293b20972189d505fc62dbc86a27796571cbb8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-54-0x0000000001000000-0x0000000001006B00-memory.dmp

Filesize
26KB

Download
memory/968-55-0x0000000001000000-0x0000000001006B00-memory.dmp

Filesize
26KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads