ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644

Analysis

max time kernel
170s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
Size

34KB
MD5

4b7b764de45fe80c9ccc554111dc9740
SHA1

a29c46726896fca6ceb78934ba0a7686fc0813eb
SHA256

ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644
SHA512

df0871c71e0ef0e0a8441a0fa3c4098611343470284a53487660a08719a56b84d35abbedd701def7d198600220085016842604a4e954e01c411a9b28114d2f15
SSDEEP

384:GHpnAGbWXQRcaaMI2u3+ORLwb0I6SNpcTA0pjt53xY7QlCZugFC0khiMYWIDWYbJ:GKOuK8RLwoI6MiA0pj3hL2C0Yiv5

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msdt.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\netbtugc.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\wscadminui.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\CheckNetIsolation.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\mfpmp.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\dpnsvr.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\MRINFO.EXE	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\schtasks.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\shrpubw.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\cmdl32.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\cmstp.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\dvdplay.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\GamePanel.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\LaunchTM.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\tar.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\wextract.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\cmmon32.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\cttune.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\mmgaserver.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\RdpSa.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\reg.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\TSTheme.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\UserAccountControlSettings.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\certreq.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\fontview.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\printui.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\RmClient.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\w32tm.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\control.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\OneDriveSetup.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\ndadmin.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\nslookup.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\perfhost.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\shutdown.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\user.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\cttunesvr.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\hh.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\secinit.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\UserAccountBroker.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\CredentialUIBroker.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_isv.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\find.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\InfDefaultInstall.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\mountvol.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\msra.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\sxstrace.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\appidtel.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\EaseOfAccessDialog.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\SecEdit.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\setx.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\ComputerDefaults.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\eventcreate.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\TpmInit.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\SysWOW64\wermgr.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hh.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\notepad.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\splwow64.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\winhlp32.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\write.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\bfsvc.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\explorer.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
File opened for modification	C:\Windows\HelpPane.exe	ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe

C:\Users\Admin\AppData\Local\Temp\ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe
"C:\Users\Admin\AppData\Local\Temp\ebad56b5e05f8514fd6a4bd0938b002b4c2e20c84b4ddd72b8e7d21ab0497644.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:5040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5040-135-0x0000000001000000-0x000000000100EB00-memory.dmp

Filesize
58KB

Download
memory/5040-136-0x0000000001000000-0x000000000100EB00-memory.dmp

Filesize
58KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads