abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b

Analysis

max time kernel
98s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 14:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe
Size

264KB
MD5

f7e85a61ce697299223fed18c428e6f0
SHA1

7936563709db9f68251735409a1d40a7cb188a80
SHA256

abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b
SHA512

d99e5722461969cda9659b57a6016f2a6e297f48f8500a9e98f95238ee01fd989daaa5b5fe4255bea2c6af7315792f609dcc3581ccd845620ed1ee259c2d1a73
SSDEEP

6144:O9w8T9c1lBzcMZF7bwwBGY4EheDBxe8E:Mi1lB9F70wH4Mebe8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3460	puid.exe
4192	puid.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4676 set thread context of 3452	4676	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	85
PID 3460 set thread context of 4192	3460	puid.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4192	puid.exe
4192	puid.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3452	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4676	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe
3460	puid.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 3452	4676	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	85
PID 4676 wrote to memory of 3452	4676	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	85
PID 4676 wrote to memory of 3452	4676	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	85
PID 4676 wrote to memory of 3452	4676	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	85
PID 4676 wrote to memory of 3452	4676	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	85
PID 4676 wrote to memory of 3452	4676	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	85
PID 4676 wrote to memory of 3452	4676	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	85
PID 4676 wrote to memory of 3452	4676	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	85
PID 4676 wrote to memory of 3452	4676	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	85
PID 4676 wrote to memory of 3452	4676	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	85
PID 3452 wrote to memory of 3460	3452	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	86
PID 3452 wrote to memory of 3460	3452	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	86
PID 3452 wrote to memory of 3460	3452	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	86
PID 3460 wrote to memory of 4192	3460	puid.exe	90
PID 3460 wrote to memory of 4192	3460	puid.exe	90
PID 3460 wrote to memory of 4192	3460	puid.exe	90
PID 3460 wrote to memory of 4192	3460	puid.exe	90
PID 3460 wrote to memory of 4192	3460	puid.exe	90
PID 3460 wrote to memory of 4192	3460	puid.exe	90
PID 3460 wrote to memory of 4192	3460	puid.exe	90
PID 3460 wrote to memory of 4192	3460	puid.exe	90
PID 3460 wrote to memory of 4192	3460	puid.exe	90
PID 3460 wrote to memory of 4192	3460	puid.exe	90
PID 3452 wrote to memory of 4036	3452	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	91
PID 3452 wrote to memory of 4036	3452	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	91
PID 3452 wrote to memory of 4036	3452	abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe	91
PID 4192 wrote to memory of 3148	4192	puid.exe	93
PID 4192 wrote to memory of 3148	4192	puid.exe	93
PID 4192 wrote to memory of 3148	4192	puid.exe	93
PID 4192 wrote to memory of 3148	4192	puid.exe	93
PID 4192 wrote to memory of 3148	4192	puid.exe	93
PID 4192 wrote to memory of 3148	4192	puid.exe	93
PID 4192 wrote to memory of 3148	4192	puid.exe	93
PID 4192 wrote to memory of 3148	4192	puid.exe	93
PID 4192 wrote to memory of 3148	4192	puid.exe	93

C:\Users\Admin\AppData\Local\Temp\abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe
"C:\Users\Admin\AppData\Local\Temp\abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe
  "C:\Users\Admin\AppData\Local\Temp\abc8102ed11d120f9797457ea1066d62ceda8440ae8582f0255252661ca6287b.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Roaming\Woapuq\puid.exe
    "C:\Users\Admin\AppData\Roaming\Woapuq\puid.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Users\Admin\AppData\Roaming\Woapuq\puid.exe
      "C:\Users\Admin\AppData\Roaming\Woapuq\puid.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        
        PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6d38ef8c.bat"
    3⤵
    PID:4036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6d38ef8c.bat

Filesize
307B

MD5
87456117d9ec2949687440c38afeaf4b

SHA1
4e8bbc76a213a490df577c5c4a36db23ab725206

SHA256
be3ecf6ac440307d260144864f4776e9b05658034b8152fb5d002db86e84001d

SHA512
dbd5872ca1639872822d128ebf49ccd4b3aefc689f06345e4fec3f04dd439d7f992469edc4a69edcc5952ecc0b0c24f8be25b2314ccd8d922a75bd30fa570693

Download Submit
C:\Users\Admin\AppData\Roaming\Woapuq\puid.exe

Filesize
264KB

MD5
10c43c7873b326a05bee91e9294e23ae

SHA1
b806449c2449ac9308fe26eb32bad02d34155644

SHA256
ed4501198f9af437b4753b2db2817da79863f086d30f77165bc72725423fe544

SHA512
0efa50643a9264b4c920c2a611c2f9f788f77b0b3dc33036a2c72ac48037e4474c5bb311eb54dc3b4bb460e158022e8a2046bee7676bab8a6c75b05f8adeabfd

Download Submit
C:\Users\Admin\AppData\Roaming\Woapuq\puid.exe

Filesize
264KB

MD5
10c43c7873b326a05bee91e9294e23ae

SHA1
b806449c2449ac9308fe26eb32bad02d34155644

SHA256
ed4501198f9af437b4753b2db2817da79863f086d30f77165bc72725423fe544

SHA512
0efa50643a9264b4c920c2a611c2f9f788f77b0b3dc33036a2c72ac48037e4474c5bb311eb54dc3b4bb460e158022e8a2046bee7676bab8a6c75b05f8adeabfd

Download Submit
C:\Users\Admin\AppData\Roaming\Woapuq\puid.exe

Filesize
264KB

MD5
10c43c7873b326a05bee91e9294e23ae

SHA1
b806449c2449ac9308fe26eb32bad02d34155644

SHA256
ed4501198f9af437b4753b2db2817da79863f086d30f77165bc72725423fe544

SHA512
0efa50643a9264b4c920c2a611c2f9f788f77b0b3dc33036a2c72ac48037e4474c5bb311eb54dc3b4bb460e158022e8a2046bee7676bab8a6c75b05f8adeabfd

Download Submit
memory/3148-159-0x00000000008B0000-0x00000000008DE000-memory.dmp

Filesize
184KB

Download
memory/3452-147-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3452-155-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3452-140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3452-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3452-136-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3452-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3452-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4192-157-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4192-158-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4676-134-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download