3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8

Analysis

max time kernel
153s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 22:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
Size

95KB
MD5

0d9d9c216addfc796a57d9291f321ad0
SHA1

9e561d635588d0a30acbd9813b4eb2cc9ada8372
SHA256

3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8
SHA512

c4affad755564f86cd911a8441e49843a384333bba743b89d6de1b434227ae9f495800139ceef35e73d3cf9957e2619ee11a80313d02f3d16f46e07e4a81fc55
SSDEEP

1536:JjCRsuBD3LTEvSBMjq6UjTkFrD+07JTX3io1CdO6RR8cQOFvPSMs02ruxZC1o:tWsSDT6U3m+oBSBpR8clKm2ruxZC1o

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\diskperf.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\mcbuilder.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\mountvol.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\Windows.WARP.JITService.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\msra.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\net.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\pcaui.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\WPDShextAutoplay.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\AtBroker.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\credwiz.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\resmon.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\wextract.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\iscsicpl.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\OpenWith.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\PackagedCWALauncher.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\bootcfg.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\CameraSettingsUIHost.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\Dism.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\systray.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\UserAccountBroker.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\write.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\makecab.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\TRACERT.EXE	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\at.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\msdt.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\ndadmin.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\WSManHTTPConfig.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\wsmprovhost.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\CloudNotifications.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\iscsicli.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\netiougc.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\takeown.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\ctfmon.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\runas.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\SearchProtocolHost.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\dpapimig.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\PresentationHost.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\fc.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\SearchFilterHost.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\WerFaultSecure.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\EaseOfAccessDialog.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\icsunattend.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\ReAgentc.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\sfc.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\edpnotify.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\Netplwiz.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\LaunchWinApp.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\xwizard.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\cttunesvr.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\eventcreate.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\find.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\explorer.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\HelpPane.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\hh.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\notepad.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\splwow64.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\winhlp32.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\write.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
File opened for modification	C:\Windows\bfsvc.exe	3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe

C:\Users\Admin\AppData\Local\Temp\3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe
"C:\Users\Admin\AppData\Local\Temp\3ad1cc5ba4e936b9190f0e58fbc94a168f88e6bb844b70ea44d9f89b89484cb8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:3260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3260-132-0x0000000001000000-0x000000000101AB00-memory.dmp

Filesize
106KB

Download
memory/3260-133-0x0000000001000000-0x000000000101AB00-memory.dmp

Filesize
106KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads