2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292

Analysis

max time kernel
97s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
Size

75KB
MD5

70c81a5137039438aa640589ccb8c280
SHA1

bc98ce9770a3a29c31f76322e84633fb83f5b987
SHA256

2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292
SHA512

170201232fe5948ceaa29f992d6c61347fd51df91ba5391a2d405186d4c09afa8f9d5a00fc9884d5bbf7dff33cc66fbf37eb42dacd5f68fdb0540aa1ee1486aa
SSDEEP

1536:ZVL3K7SPCsp3i7UamMGoXB4fmyYK4K9wBw6R4:rK7Sqsp3RanBXq5Yi9I4

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mmgaserver.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\Robocopy.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\hdwwiz.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\proquota.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\TsWpfWrp.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\cmdkey.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\gpscript.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\write.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\expand.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\sdiagnhost.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\wevtutil.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\dcomcnfg.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\fc.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\fsutil.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\AtBroker.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\HOSTNAME.EXE	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_isv.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\shrpubw.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\takeown.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\upnpcont.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\WPDShextAutoplay.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\CloudNotifications.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\provlaunch.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\regedt32.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\rasautou.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\WerFault.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\PickerHost.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\tasklist.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\wscadminui.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\cliconfg.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\dialer.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\mcbuilder.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\OpenWith.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\OposHost.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\PackagedCWALauncher.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\winrs.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\cttune.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\psr.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\systeminfo.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\where.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\dtdump.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\resmon.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\Windows.WARP.JITService.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\ByteCodeGenerator.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\charmap.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\RmClient.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\autofmt.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\CameraSettingsUIHost.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\icsunattend.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\raserver.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\TpmInit.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\control.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\SysWOW64\mavinject.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hh.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\notepad.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\splwow64.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\winhlp32.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\write.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\bfsvc.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\explorer.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
File opened for modification	C:\Windows\HelpPane.exe	2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe

C:\Users\Admin\AppData\Local\Temp\2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe
"C:\Users\Admin\AppData\Local\Temp\2fe889b76fbe2dcc2ae965fa3c117bc95aff84ea4997d0e0e00f65f7db0ba292.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-132-0x0000000001000000-0x0000000001015B00-memory.dmp

Filesize
86KB

Download
memory/1696-133-0x0000000001000000-0x0000000001015B00-memory.dmp

Filesize
86KB

Download
memory/1696-134-0x0000000001000000-0x0000000001015B00-memory.dmp

Filesize
86KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads