f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9

General

Target

f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
Size

375KB
MD5

4f099eeccc18d58de8fd9f85a990653d
SHA1

33706d7aa2e9d6c6bdde355a01a21baf887837fa
SHA256

f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9
SHA512

474f630184552ba3a1b791da23c27eb9115e3c751c14a372d015f17f816e0f7fd80011282b1c2860b37e1bf4ab905a2b29251d7c5f7e5ba139fce8c807e49860
SSDEEP

6144:+BudLvxoeilwc4ybTNaaaOX99xERXmJqan0lS74MVdUfsUPxOBqwqUdeR2fSm2Hy:+Gfkwc4ybTNaaaqvE9mJxn0e4kUfsUZM

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\svchost.exe	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\svchost.exe	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\svchost.exe	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
552	svchost.exe
856	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 828 set thread context of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 552 set thread context of 856	552	svchost.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
552	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 828 wrote to memory of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 828 wrote to memory of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 828 wrote to memory of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 828 wrote to memory of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 828 wrote to memory of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 828 wrote to memory of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 828 wrote to memory of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 828 wrote to memory of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 828 wrote to memory of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 828 wrote to memory of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 828 wrote to memory of 976	828	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	27
PID 552 wrote to memory of 856	552	svchost.exe	29
PID 552 wrote to memory of 856	552	svchost.exe	29
PID 552 wrote to memory of 856	552	svchost.exe	29
PID 552 wrote to memory of 856	552	svchost.exe	29
PID 552 wrote to memory of 856	552	svchost.exe	29
PID 552 wrote to memory of 856	552	svchost.exe	29
PID 552 wrote to memory of 856	552	svchost.exe	29
PID 552 wrote to memory of 856	552	svchost.exe	29
PID 552 wrote to memory of 856	552	svchost.exe	29
PID 552 wrote to memory of 856	552	svchost.exe	29
PID 552 wrote to memory of 856	552	svchost.exe	29
PID 552 wrote to memory of 856	552	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
"C:\Users\Admin\AppData\Local\Temp\f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
  C:\Users\Admin\AppData\Local\Temp\f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
  2⤵
  - Drops file in Drivers directory
  PID:976

C:\Windows\SysWOW64\drivers\svchost.exe
C:\Windows\SysWOW64\drivers\svchost.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\SysWOW64\drivers\svchost.exe
  C:\Windows\SysWOW64\drivers\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\svchost.exe

Filesize
375KB

MD5
4f099eeccc18d58de8fd9f85a990653d

SHA1
33706d7aa2e9d6c6bdde355a01a21baf887837fa

SHA256
f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9

SHA512
474f630184552ba3a1b791da23c27eb9115e3c751c14a372d015f17f816e0f7fd80011282b1c2860b37e1bf4ab905a2b29251d7c5f7e5ba139fce8c807e49860

Download Submit
C:\Windows\SysWOW64\drivers\svchost.exe

Filesize
375KB

MD5
4f099eeccc18d58de8fd9f85a990653d

SHA1
33706d7aa2e9d6c6bdde355a01a21baf887837fa

SHA256
f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9

SHA512
474f630184552ba3a1b791da23c27eb9115e3c751c14a372d015f17f816e0f7fd80011282b1c2860b37e1bf4ab905a2b29251d7c5f7e5ba139fce8c807e49860

Download Submit
C:\Windows\SysWOW64\drivers\svchost.exe

Filesize
375KB

MD5
4f099eeccc18d58de8fd9f85a990653d

SHA1
33706d7aa2e9d6c6bdde355a01a21baf887837fa

SHA256
f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9

SHA512
474f630184552ba3a1b791da23c27eb9115e3c751c14a372d015f17f816e0f7fd80011282b1c2860b37e1bf4ab905a2b29251d7c5f7e5ba139fce8c807e49860

Download Submit
memory/828-67-0x00000000002B0000-0x00000000002B4000-memory.dmp

Filesize
16KB

Download
memory/828-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/856-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/856-85-0x0000000000429D88-mapping.dmp

Download
memory/976-59-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/976-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/976-66-0x0000000000429D88-mapping.dmp

Download
memory/976-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/976-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/976-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/976-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/976-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/976-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/976-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/976-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/976-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing