77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f

Analysis

max time kernel
160s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe
Size

22KB
MD5

5398dec8a7f56e001869dfa3acf64de0
SHA1

434c2834db73043445f6e7df1bbd084ce3bdbbd6
SHA256

77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f
SHA512

24891dec9ed7c4af6b323125d70d6679d8bcf7b14bc0ce0a864f6317b0998894e951ac07eb5c9af74bc426a0f5e37034c65f8f3962a2afeffa28d7943a2e78ce
SSDEEP

384:PGCSeWyRaH6dJ09myKovqdxIKPNGB8Pi+orNTbt:eycadJnyC4GNGqa+orNTb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4644	livrew.exe
2764	livrew.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	checkip.dyndns.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1580 set thread context of 4740	1580	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	81
PID 4644 set thread context of 2764	4644	livrew.exe	83

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 4740	1580	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	81
PID 1580 wrote to memory of 4740	1580	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	81
PID 1580 wrote to memory of 4740	1580	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	81
PID 1580 wrote to memory of 4740	1580	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	81
PID 1580 wrote to memory of 4740	1580	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	81
PID 1580 wrote to memory of 4740	1580	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	81
PID 1580 wrote to memory of 4740	1580	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	81
PID 4740 wrote to memory of 4644	4740	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	82
PID 4740 wrote to memory of 4644	4740	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	82
PID 4740 wrote to memory of 4644	4740	77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe	82
PID 4644 wrote to memory of 2764	4644	livrew.exe	83
PID 4644 wrote to memory of 2764	4644	livrew.exe	83
PID 4644 wrote to memory of 2764	4644	livrew.exe	83
PID 4644 wrote to memory of 2764	4644	livrew.exe	83
PID 4644 wrote to memory of 2764	4644	livrew.exe	83
PID 4644 wrote to memory of 2764	4644	livrew.exe	83
PID 4644 wrote to memory of 2764	4644	livrew.exe	83

C:\Users\Admin\AppData\Local\Temp\77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe
"C:\Users\Admin\AppData\Local\Temp\77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\Temp\77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe
  "C:\Users\Admin\AppData\Local\Temp\77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\livrew.exe
    C:\Users\Admin\AppData\Local\Temp\livrew.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\livrew.exe
      C:\Users\Admin\AppData\Local\Temp\livrew.exe
      4⤵
      Executes dropped EXE
      PID:2764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\liva8BA5.log

Filesize
206B

MD5
2a59c56692c87ed0a4215073ab689ac3

SHA1
f3571ec85c5c842eb2bd44d09d3a075918f53273

SHA256
f8341709b7bad1afb44c2160eda6a751cd3953cd9131f92993e3be6a0463c67d

SHA512
cde71da9d17fd3f8fbe90b8e731e5461d4837f18c7eb095d70060cb0ab3922daad4ec268e69e72d2e5f33c4cdcbc4a9d945d4e418150d69ab8bcdf61d253f03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\livrew.exe

Filesize
22KB

MD5
5398dec8a7f56e001869dfa3acf64de0

SHA1
434c2834db73043445f6e7df1bbd084ce3bdbbd6

SHA256
77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f

SHA512
24891dec9ed7c4af6b323125d70d6679d8bcf7b14bc0ce0a864f6317b0998894e951ac07eb5c9af74bc426a0f5e37034c65f8f3962a2afeffa28d7943a2e78ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\livrew.exe

Filesize
22KB

MD5
5398dec8a7f56e001869dfa3acf64de0

SHA1
434c2834db73043445f6e7df1bbd084ce3bdbbd6

SHA256
77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f

SHA512
24891dec9ed7c4af6b323125d70d6679d8bcf7b14bc0ce0a864f6317b0998894e951ac07eb5c9af74bc426a0f5e37034c65f8f3962a2afeffa28d7943a2e78ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\livrew.exe

Filesize
22KB

MD5
5398dec8a7f56e001869dfa3acf64de0

SHA1
434c2834db73043445f6e7df1bbd084ce3bdbbd6

SHA256
77a7954d869a2b2cad474c03f35e032dcae85ecc2c9c14ae5d9c792cb76bcd1f

SHA512
24891dec9ed7c4af6b323125d70d6679d8bcf7b14bc0ce0a864f6317b0998894e951ac07eb5c9af74bc426a0f5e37034c65f8f3962a2afeffa28d7943a2e78ce

Download Submit
memory/4740-133-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4740-135-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download