1b5bd11dc1f70206bbd084bb99000794367d91604611ebbc241c5402bbff52a8

Analysis

max time kernel
72s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2022, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1_dispci.exe
Size

145KB
MD5

729aac64b0cb298a7c3b8afd79579cec
SHA1

63f4f51922b8f3c45606c8b3c2a8f8d06b0a15c4
SHA256

1b5bd11dc1f70206bbd084bb99000794367d91604611ebbc241c5402bbff52a8
SHA512

594982198a545152b2e1858f0cc3dc769ee161579a3b3f61f290f7123aeab29d22dc97c82d21559f35e66b7c0eb7a777a2e9a0125b189961497f0f95f2a20df9
SSDEEP

3072:RkeK/MwGT0834YW3pvyh8fcl/iL62iL6KK:2n/MZd4YW3pvyxl/ini

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\runonce.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\efsui.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\RdpSa.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\dtdump.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\Netplwiz.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\cmmon32.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\label.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\net1.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\print.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\whoami.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\wevtutil.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\AtBroker.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\curl.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\MuiUnattend.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp_isv.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\tasklist.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\agentactivationruntimestarter.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\certutil.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\msdt.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\regini.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\DevicePairingWizard.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\msra.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\CheckNetIsolation.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\fc.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\RdpSaProxy.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\eventcreate.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\help.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\logman.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\gpupdate.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\RdpSaUacHelper.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\resmon.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\cleanmgr.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\EaseOfAccessDialog.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\PackagedCWALauncher.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\getmac.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\netbtugc.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\newdev.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\dvdplay.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\sdiagnhost.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\systeminfo.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\w32tm.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\Windows.WARP.JITService.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\ByteCodeGenerator.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\pcaui.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\secinit.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\chkntfs.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\appidtel.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\NETSTAT.EXE	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\Robocopy.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\wlanext.exe	1_dispci.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	1_dispci.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\splwow64.exe	1_dispci.exe
File opened for modification	C:\Windows\winhlp32.exe	1_dispci.exe
File opened for modification	C:\Windows\write.exe	1_dispci.exe
File opened for modification	C:\Windows\bfsvc.exe	1_dispci.exe
File opened for modification	C:\Windows\explorer.exe	1_dispci.exe
File opened for modification	C:\Windows\HelpPane.exe	1_dispci.exe
File opened for modification	C:\Windows\hh.exe	1_dispci.exe
File opened for modification	C:\Windows\notepad.exe	1_dispci.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4984	4024	WerFault.exe	81

C:\Users\Admin\AppData\Local\Temp\1_dispci.exe
"C:\Users\Admin\AppData\Local\Temp\1_dispci.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 448
  2⤵
  - Program crash
  PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4024 -ip 4024
1⤵
PID:4036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4024-135-0x00000000007E0000-0x000000000083C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads