1b5bd11dc1f70206bbd084bb99000794367d91604611ebbc241c5402bbff52a8

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/10/2022, 17:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1_dispci.exe
Size

145KB
MD5

729aac64b0cb298a7c3b8afd79579cec
SHA1

63f4f51922b8f3c45606c8b3c2a8f8d06b0a15c4
SHA256

1b5bd11dc1f70206bbd084bb99000794367d91604611ebbc241c5402bbff52a8
SHA512

594982198a545152b2e1858f0cc3dc769ee161579a3b3f61f290f7123aeab29d22dc97c82d21559f35e66b7c0eb7a777a2e9a0125b189961497f0f95f2a20df9
SSDEEP

3072:RkeK/MwGT0834YW3pvyh8fcl/iL62iL6KK:2n/MZd4YW3pvyxl/ini

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dllhst3g.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\driverquery.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\credwiz.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\dpapimig.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\auditpol.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\certutil.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\cipher.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\rasphone.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\msiexec.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\wuapp.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\ComputerDefaults.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\gpresult.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\net1.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\lodctr.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\TCPSVCS.EXE	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\setupSNK.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\typeperf.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\sethc.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\UserAccountControlSettings.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\logman.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\netsh.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\ntoskrnl.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\OptionalFeatures.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\SetIEInstalledDate.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\xwizard.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\cmstp.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\efsui.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\expand.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\find.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\odbcconf.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\perfhost.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\printui.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\wiaacmgr.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\ARP.EXE	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\cmdkey.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\ctfmon.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\dllhost.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\grpconv.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\InfDefaultInstall.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\SearchIndexer.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\at.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\colorcpl.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\dccw.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\WPDShextAutoplay.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\eventcreate.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\srdelayed.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\print.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\setup16.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\ocsetup.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\wevtutil.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\cmmon32.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\help.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\icacls.exe	1_dispci.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\twunk_32.exe	1_dispci.exe
File opened for modification	C:\Windows\winhlp32.exe	1_dispci.exe
File opened for modification	C:\Windows\bfsvc.exe	1_dispci.exe
File opened for modification	C:\Windows\explorer.exe	1_dispci.exe
File opened for modification	C:\Windows\HelpPane.exe	1_dispci.exe
File opened for modification	C:\Windows\hh.exe	1_dispci.exe
File opened for modification	C:\Windows\splwow64.exe	1_dispci.exe
File opened for modification	C:\Windows\twunk_16.exe	1_dispci.exe
File opened for modification	C:\Windows\write.exe	1_dispci.exe
File opened for modification	C:\Windows\fveupdate.exe	1_dispci.exe
File opened for modification	C:\Windows\notepad.exe	1_dispci.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1556	1944	WerFault.exe	26

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1556	1944	1_dispci.exe	28
PID 1944 wrote to memory of 1556	1944	1_dispci.exe	28
PID 1944 wrote to memory of 1556	1944	1_dispci.exe	28
PID 1944 wrote to memory of 1556	1944	1_dispci.exe	28

C:\Users\Admin\AppData\Local\Temp\1_dispci.exe
"C:\Users\Admin\AppData\Local\Temp\1_dispci.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 164
  2⤵
  - Program crash
  PID:1556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1944-55-0x0000000000320000-0x000000000037C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads