3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8

Analysis

max time kernel
23s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
Size

95KB
MD5

0d9d9c216addfc796a57d9291f321ad0
SHA1

9e561d635588d0a30acbd9813b4eb2cc9ada8372
SHA256

3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8
SHA512

c4affad755564f86cd911a8441e49843a384333bba743b89d6de1b434227ae9f495800139ceef35e73d3cf9957e2619ee11a80313d02f3d16f46e07e4a81fc55
SSDEEP

1536:JjCRsuBD3LTEvSBMjq6UjTkFrD+07JTX3io1CdO6RR8cQOFvPSMs02ruxZC1o:tWsSDT6U3m+oBSBpR8clKm2ruxZC1o

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\label.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\replace.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\sdiagnhost.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\diskperf.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\fixmapi.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\isoburn.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\wlanext.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\wsmprovhost.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\systray.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\cipher.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\cmstp.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\mshta.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\RpcPing.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\subst.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\charmap.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\dvdplay.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\ROUTE.EXE	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\sc.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\schtasks.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\whoami.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\rrinstaller.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\AtBroker.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\bitsadmin.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\poqexec.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\verifier.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\dllhst3g.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\mobsync.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\mtstocom.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\raserver.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\cmmon32.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\net1.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\rasautou.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\wiaacmgr.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\write.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\wimserv.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\iscsicli.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\regedt32.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\sethc.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\waitfor.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\fsutil.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\logagent.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\MRINFO.EXE	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\net.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\wininit.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\ARP.EXE	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\cttunesvr.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\dcomcnfg.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\dllhost.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\PATHPING.EXE	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\control.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\odbcconf.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\print.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\at.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\colorcpl.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bfsvc.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\explorer.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\HelpPane.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\twunk_32.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\winhlp32.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\write.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\fveupdate.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\hh.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\notepad.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\splwow64.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\twunk_16.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe

C:\Users\Admin\AppData\Local\Temp\3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
"C:\Users\Admin\AppData\Local\Temp\3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-54-0x0000000001000000-0x000000000101AB00-memory.dmp

Filesize
106KB

Download
memory/960-55-0x0000000001000000-0x000000000101AB00-memory.dmp

Filesize
106KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads