a817463fd38c2a4777ae939aaf38e20d598daa433ee3f15751172bbdd3511e3f

Analysis

max time kernel
133s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a817463fd38c2a4777ae939aaf38e20d598daa433ee3f15751172bbdd3511e3f.exe
Size

486KB
MD5

82e26266e7cbb2ef668071b81c4b3b90
SHA1

f5f502f6da83e73305b9b2b1af260823dd1e8f04
SHA256

a817463fd38c2a4777ae939aaf38e20d598daa433ee3f15751172bbdd3511e3f
SHA512

537b990fd2b3422f51d40a9ee861d4e81633bcb43de1f0a954be6228a93a456ba93e31b63d2cde018db970ab4e4b399f6a6a65a4a54ab2fb3e131a16357024f0
SSDEEP

12288:l+z1FQ1sVlEtKB7EAY6160cjpv4DQFu/U3buRKlemZ9DnGAeVQnII:KLQeEtKBAI1PsKQII

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4804	wmiprvse.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\~tmp.bat	wmiprvse.exe
File opened for modification	C:\Windows\SysWOW64\wmiprvse.exe	cmd.exe
File created	C:\Windows\SysWOW64\wmiprvse.exe	cmd.exe
File created	C:\Windows\SysWOW64\wmiprvse.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wmiprvse.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4964	WmiPrvSE.exe
4964	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2004	1960	a817463fd38c2a4777ae939aaf38e20d598daa433ee3f15751172bbdd3511e3f.exe	80
PID 1960 wrote to memory of 2004	1960	a817463fd38c2a4777ae939aaf38e20d598daa433ee3f15751172bbdd3511e3f.exe	80
PID 1960 wrote to memory of 2004	1960	a817463fd38c2a4777ae939aaf38e20d598daa433ee3f15751172bbdd3511e3f.exe	80
PID 2004 wrote to memory of 4804	2004	cmd.exe	82
PID 2004 wrote to memory of 4804	2004	cmd.exe	82
PID 2004 wrote to memory of 4804	2004	cmd.exe	82
PID 4804 wrote to memory of 4516	4804	wmiprvse.exe	83
PID 4804 wrote to memory of 4516	4804	wmiprvse.exe	83
PID 4804 wrote to memory of 4516	4804	wmiprvse.exe	83
PID 4516 wrote to memory of 4964	4516	cmd.exe	85
PID 4516 wrote to memory of 4964	4516	cmd.exe	85
PID 4516 wrote to memory of 4964	4516	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\a817463fd38c2a4777ae939aaf38e20d598daa433ee3f15751172bbdd3511e3f.exe
"C:\Users\Admin\AppData\Local\Temp\a817463fd38c2a4777ae939aaf38e20d598daa433ee3f15751172bbdd3511e3f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~tmp.bat
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\wmiprvse.exe
    wmiprvse.exe C:\Users\Admin\AppData\Local\Temp\~tmp.bat
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\~tmp.bat
      4⤵
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Windows\SysWOW64\Wbem\WmiPrvSE.exe
        
        wmiprvse.exe C:\Windows\SysWOW64\~tmp.bat
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~tmp.bat

Filesize
663B

MD5
9d6e87e9115ae185084025efee476846

SHA1
ff9070b828638bc7f2daca17e71ebca0764c8d22

SHA256
b12613c21ef77aa744509b0573b676f993ca482b0d5f5800af5a45d5f40a9c38

SHA512
f908de46210dd77af793181a18d7b00ff5cc63e3d25a0af116ec2e511bee6854226d9e48574969b5101e58ec4eac39d99f6bcf507c6ed1cb765bef03ef8ba89e

Download Submit
C:\Windows\SysWOW64\wmiprvse.exe

Filesize
486KB

MD5
82e26266e7cbb2ef668071b81c4b3b90

SHA1
f5f502f6da83e73305b9b2b1af260823dd1e8f04

SHA256
a817463fd38c2a4777ae939aaf38e20d598daa433ee3f15751172bbdd3511e3f

SHA512
537b990fd2b3422f51d40a9ee861d4e81633bcb43de1f0a954be6228a93a456ba93e31b63d2cde018db970ab4e4b399f6a6a65a4a54ab2fb3e131a16357024f0

Download Submit
C:\Windows\SysWOW64\wmiprvse.exe

Filesize
486KB

MD5
82e26266e7cbb2ef668071b81c4b3b90

SHA1
f5f502f6da83e73305b9b2b1af260823dd1e8f04

SHA256
a817463fd38c2a4777ae939aaf38e20d598daa433ee3f15751172bbdd3511e3f

SHA512
537b990fd2b3422f51d40a9ee861d4e81633bcb43de1f0a954be6228a93a456ba93e31b63d2cde018db970ab4e4b399f6a6a65a4a54ab2fb3e131a16357024f0

Download Submit
C:\Windows\SysWOW64\~tmp.bat

Filesize
439B

MD5
95f4e77b851624c4b6b13494bcb0ab1a

SHA1
3d3843654e3394090e37382010e43d47e1a4355c

SHA256
cf6112d20a4804283517bcea4491a8273b44d63a5978e87cdf2aae2f9ed61411

SHA512
fe348734b540f6a694bd7b23f33f0f929aa97e8aa525b680fb90e820038ddbfa4127c3d96f2011729d24ac3312b17c3ef14af9e365a824300e2a56eefffd167c

Download Submit
memory/2004-132-0x0000000000000000-mapping.dmp

Download
memory/4516-137-0x0000000000000000-mapping.dmp

Download
memory/4804-134-0x0000000000000000-mapping.dmp

Download
memory/4964-139-0x0000000000000000-mapping.dmp

Download