49429b46cffe231634c066f380a8e71f9848b146ec8b2d7d09c5088ca7229524

Analysis

max time kernel
38s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49429b46cffe231634c066f380a8e71f9848b146ec8b2d7d09c5088ca7229524.exe
Size

97KB
MD5

0ab46b0e94ad190ce48b9810c8234704
SHA1

60f24dd942af56539c184b9f00e690e70ab10e2b
SHA256

49429b46cffe231634c066f380a8e71f9848b146ec8b2d7d09c5088ca7229524
SHA512

994ffa9e039468fecd483fe62405b2b2fe5ad302db469d85ca14febde7125a3cf0ca7b6ef3bc06050acac45eb5a3199facb4c809b3e9273c1b669dbd1252fb73
SSDEEP

3072:p2Qdxtd+EidEJTklav8i4zQsZlTNO6wsBQrfSeznFow:plBd+NdE4hZxsQBQueznx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4956	6CE7.exe

Loads dropped DLL 1 IoCs

pid	Process
4956	6CE7.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	49429b46cffe231634c066f380a8e71f9848b146ec8b2d7d09c5088ca7229524.exe
File opened for modification	C:\Windows\SysWOW64\6CE7.exe	49429b46cffe231634c066f380a8e71f9848b146ec8b2d7d09c5088ca7229524.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	6CE7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	6CE7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	6CE7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	6CE7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	6CE7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	6CE7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	6CE7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	6CE7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	6CE7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	6CE7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	6CE7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5044	49429b46cffe231634c066f380a8e71f9848b146ec8b2d7d09c5088ca7229524.exe
4956	6CE7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 5088	5044	49429b46cffe231634c066f380a8e71f9848b146ec8b2d7d09c5088ca7229524.exe	85
PID 5044 wrote to memory of 5088	5044	49429b46cffe231634c066f380a8e71f9848b146ec8b2d7d09c5088ca7229524.exe	85
PID 5044 wrote to memory of 5088	5044	49429b46cffe231634c066f380a8e71f9848b146ec8b2d7d09c5088ca7229524.exe	85
PID 5088 wrote to memory of 4956	5088	cmd.exe	84
PID 5088 wrote to memory of 4956	5088	cmd.exe	84
PID 5088 wrote to memory of 4956	5088	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\49429b46cffe231634c066f380a8e71f9848b146ec8b2d7d09c5088ca7229524.exe
"C:\Users\Admin\AppData\Local\Temp\49429b46cffe231634c066f380a8e71f9848b146ec8b2d7d09c5088ca7229524.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\6CE7.exe eee
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088

C:\Windows\SysWOW64\6CE7.exe
C:\Windows\system32\6CE7.exe eee
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\6CE7.exe

Filesize
79KB

MD5
4cfe520ef2ccf215eea8f0b32a378274

SHA1
75e52a7e5e99eca7771ded2da6be5ca3d1c295b1

SHA256
ae00fb198a9f69fc3cd944b8ac30edd2fa51632b9adf4d160eb5e47ed1f9de14

SHA512
29f54cfd0c79ab51124e4f78166d9464bc892d910c0eb6645864f24756398df585a7ffcd2342c08b2e6d516c0e7bcaaa8928440dfbe37626bdc4d215ac85321f

Download Submit
C:\Windows\SysWOW64\6CE7.exe

Filesize
77KB

MD5
7ec5d0a5438111b04a97ced024c97721

SHA1
04d009356adbe632c59b7f5b0f3b22336cf45307

SHA256
9f60b890f4db5a32fded8f93cd2dea7b0f1c7f1c62ef86068de846fd8577815b

SHA512
a575b54883ccc9cda92ae55e9e7bc87911e20e48c72e70c0821df00895879d8c00121cd676d17eb1735be40585afd73d4e63083c1bb4f0c3337799a5ed4c10e4

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
26KB

MD5
1622699249aeaf4458b282a5d355cb8d

SHA1
11970d9cfcfc23a39f5466ac9c8227b9aa9ae3a0

SHA256
904c48a0d393ef7be9f6b82d53e4f17ed61f0017d47351409b294e34bde3fbb2

SHA512
f26a61775f59330b2ce4825131d0d0ea5a916b1c3d0f86ac9adc76f5a5c2e558f160c3e1f778d5a78c627a4ba49d0773cc196d0a9262a96e01376b442080488d

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
45KB

MD5
c0cde851294169fa8b69054f0308e80e

SHA1
7bd2f4863b29a27f1d19bb353750150d83d01c07

SHA256
ee93267ced371b38c37449fe8d1a8fbd5bfdfef8b6a2bfc09873037aa3eccf4f

SHA512
4250063517a0b0ac69ad77245a4d1deff091c7106dfc0efc08b535decb4ec1b18ebce0876a499841727a3662f57e6708db40215fc15cdeaeef9508407c2942dd

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
57KB

MD5
7810a108e1b99467d8df25840d8acf18

SHA1
da688bc42910be09a228238af61f37c0bc120608

SHA256
9f7985b7a25db09d9af544f963bca8596fd6f2065824696ed05dbb4c595529b8

SHA512
36afbcdec9fe7ff5cd6e3d6b262e1924a6ac0ff7a2d8c2d0411feca3141ebccc79982d2929b86fb6d6313c913d2e4384443c96c4cdd4cbb310eeee3bf1d62cc9

Download Submit
memory/5044-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download