db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440

Analysis

max time kernel
46s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
Size

76KB
MD5

6cb88b97745be3aa26a5e9d31cbd5e4a
SHA1

b589aecd6a73429beb074984a9a8fba2e483573d
SHA256

db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440
SHA512

6f304d1e46f8f90ff8c1e1ff2e00f73f115b4c793552dbabbca8ea985b239bfc283b33f02c837edbf7325f0e1a92c7e24aaa8c2f31b481d44c74e5abc4e3be11
SSDEEP

1536:ZM29i3sIas2cKMCIroCNOG/qbQB1UY9dyTAmsEta:43TaslDXqbCyTAmsEta

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\attrib.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\iscsicli.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\raserver.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\taskkill.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\xpsrchvw.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\autochk.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\sc.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\wininit.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\diantz.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\dllhost.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\mfpmp.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\setx.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\whoami.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\certutil.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\cmstp.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\HOSTNAME.EXE	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\PresentationHost.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\replace.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\psr.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\regedt32.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\waitfor.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\recover.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\chkntfs.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\cliconfg.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\fsutil.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\unregmp2.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\wextract.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\bthudtask.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\wuapp.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\SearchProtocolHost.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\upnpcont.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\openfiles.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\rdrleakdiag.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\tcmsetup.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\lodctr.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\osk.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\rasphone.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\Netplwiz.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\drvinst.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\print.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\runas.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\logagent.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\msiexec.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\clip.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\WerFaultSecure.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\dpnsvr.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\mstsc.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\wiaacmgr.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\cmdl32.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\nslookup.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\SysWOW64\syskey.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\explorer.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\HelpPane.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\hh.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\notepad.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\twunk_32.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\winhlp32.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\bfsvc.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\fveupdate.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\splwow64.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\twunk_16.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
File opened for modification	C:\Windows\write.exe	db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe

C:\Users\Admin\AppData\Local\Temp\db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe
"C:\Users\Admin\AppData\Local\Temp\db9d3250eea2976949a1ed98f0e4375e870b7df8ad4b44245aaa08e68dd0b440.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-54-0x0000000001000000-0x000000000103DB00-memory.dmp

Filesize
246KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads