f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9

General

Target

f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
Size

375KB
MD5

4f099eeccc18d58de8fd9f85a990653d
SHA1

33706d7aa2e9d6c6bdde355a01a21baf887837fa
SHA256

f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9
SHA512

474f630184552ba3a1b791da23c27eb9115e3c751c14a372d015f17f816e0f7fd80011282b1c2860b37e1bf4ab905a2b29251d7c5f7e5ba139fce8c807e49860
SSDEEP

6144:+BudLvxoeilwc4ybTNaaaOX99xERXmJqan0lS74MVdUfsUPxOBqwqUdeR2fSm2Hy:+Gfkwc4ybTNaaaqvE9mJxn0e4kUfsUZM

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\svchost.exe	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\svchost.exe	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\svchost.exe	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	svchost.exe
3932	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 2204 set thread context of 3932	2204	svchost.exe	86

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
2204	svchost.exe
2204	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 1884 wrote to memory of 3952	1884	f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe	84
PID 2204 wrote to memory of 3932	2204	svchost.exe	86
PID 2204 wrote to memory of 3932	2204	svchost.exe	86
PID 2204 wrote to memory of 3932	2204	svchost.exe	86
PID 2204 wrote to memory of 3932	2204	svchost.exe	86
PID 2204 wrote to memory of 3932	2204	svchost.exe	86
PID 2204 wrote to memory of 3932	2204	svchost.exe	86
PID 2204 wrote to memory of 3932	2204	svchost.exe	86
PID 2204 wrote to memory of 3932	2204	svchost.exe	86
PID 2204 wrote to memory of 3932	2204	svchost.exe	86
PID 2204 wrote to memory of 3932	2204	svchost.exe	86
PID 2204 wrote to memory of 3932	2204	svchost.exe	86
PID 2204 wrote to memory of 3932	2204	svchost.exe	86
PID 2204 wrote to memory of 3932	2204	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
"C:\Users\Admin\AppData\Local\Temp\f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
  C:\Users\Admin\AppData\Local\Temp\f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9.exe
  2⤵
  - Drops file in Drivers directory
  PID:3952

C:\Windows\SysWOW64\drivers\svchost.exe
C:\Windows\SysWOW64\drivers\svchost.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\drivers\svchost.exe
  C:\Windows\SysWOW64\drivers\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:3932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\svchost.exe

Filesize
375KB

MD5
4f099eeccc18d58de8fd9f85a990653d

SHA1
33706d7aa2e9d6c6bdde355a01a21baf887837fa

SHA256
f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9

SHA512
474f630184552ba3a1b791da23c27eb9115e3c751c14a372d015f17f816e0f7fd80011282b1c2860b37e1bf4ab905a2b29251d7c5f7e5ba139fce8c807e49860

Download Submit
C:\Windows\SysWOW64\drivers\svchost.exe

Filesize
375KB

MD5
4f099eeccc18d58de8fd9f85a990653d

SHA1
33706d7aa2e9d6c6bdde355a01a21baf887837fa

SHA256
f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9

SHA512
474f630184552ba3a1b791da23c27eb9115e3c751c14a372d015f17f816e0f7fd80011282b1c2860b37e1bf4ab905a2b29251d7c5f7e5ba139fce8c807e49860

Download Submit
C:\Windows\SysWOW64\drivers\svchost.exe

Filesize
375KB

MD5
4f099eeccc18d58de8fd9f85a990653d

SHA1
33706d7aa2e9d6c6bdde355a01a21baf887837fa

SHA256
f46e6d696396a45374736d7794d16430bc3a5dc224b62e26155201ac39cf5ac9

SHA512
474f630184552ba3a1b791da23c27eb9115e3c751c14a372d015f17f816e0f7fd80011282b1c2860b37e1bf4ab905a2b29251d7c5f7e5ba139fce8c807e49860

Download Submit
memory/1884-134-0x0000000000610000-0x0000000000614000-memory.dmp

Filesize
16KB

Download
memory/3932-139-0x0000000000000000-mapping.dmp

Download
memory/3932-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3952-132-0x0000000000000000-mapping.dmp

Download
memory/3952-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3952-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3952-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3952-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing