27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b

Analysis

max time kernel
140s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
Size

50KB
MD5

14631d9c8f1aa8755620bfc6c282b6f5
SHA1

4c58f005760bb59bde475af8b6b5de921c766252
SHA256

27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b
SHA512

1504eeee5bd0296b2fa8ca5014047e01b2ec9da218a0390d4349417634a3ff7af41c8ac9b8b7a73c9fe9954e289e30ec28434b3fcfaab93dac9016331fbe7b8c
SSDEEP

768:16DsHA4Dp1vbx1ptLbFWvW/++UnBZc4qNfFbpc6:1Hrp1v1/tvFWvWwng4qNfFbph

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\finger.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\fixmapi.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\setx.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\wscadminui.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\esentutl.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\Utilman.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\BackgroundTransferHost.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\ByteCodeGenerator.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\calc.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\tcmsetup.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\tzutil.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\colorcpl.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\find.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\gpresult.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\mfpmp.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\mstsc.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\sdchange.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\Windows.WARP.JITService.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\netbtugc.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\cmstp.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\expand.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\ndadmin.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\powercfg.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\WerFaultSecure.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\DevicePairingWizard.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\OposHost.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\poqexec.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\RpcPing.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\SearchFilterHost.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\appidtel.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\cmmon32.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\sdiagnhost.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\ddodiag.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\EaseOfAccessDialog.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\help.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\dllhost.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\Fondue.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\fontview.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\iscsicli.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\msfeedssync.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\WWAHost.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\wlanext.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\compact.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\grpconv.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\SystemUWPLauncher.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\tar.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\wusa.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\Dism.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\rrinstaller.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\taskkill.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\w32tm.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\SysWOW64\label.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\notepad.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\splwow64.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\winhlp32.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\write.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\bfsvc.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\explorer.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\HelpPane.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
File opened for modification	C:\Windows\hh.exe	27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe

C:\Users\Admin\AppData\Local\Temp\27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe
"C:\Users\Admin\AppData\Local\Temp\27288dea1bc136e81b3edbcb28899d3fc98b7308d37b86a481b50e8619ee1e4b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4464-132-0x0000000001000000-0x0000000001010B00-memory.dmp

Filesize
66KB

Download
memory/4464-133-0x0000000001000000-0x0000000001010B00-memory.dmp

Filesize
66KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads