a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2

Analysis

max time kernel
161s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
Size

75KB
MD5

11ac8d88d94e91fdf36e922b220e7860
SHA1

56634b91fc28b83e1a302b2a6a722294669b80de
SHA256

a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2
SHA512

8bab546ca2c07526ad88db91a362abfcdee6ac25ce86e08591db7e344a8e77f9deafddd8d476d0525f70616e24c9f7880bf2756c70ec8c4c97971e99f7373bb1
SSDEEP

1536:ZVL3K7SPCsp3i7UamMGoXB4fmyYK4K9wBw6R42:rK7Sqsp3RanBXq5Yi9I4

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\setupugc.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\Utilman.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\write.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\WSManHTTPConfig.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\rasautou.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\SndVol.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\agentactivationruntimestarter.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\label.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\at.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\resmon.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\RpcPing.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\wscadminui.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\clip.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\OposHost.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\SystemUWPLauncher.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\grpconv.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\makecab.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\mtstocom.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\stordiag.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\edpnotify.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\fc.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\rasdial.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\OneDriveSetup.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\powercfg.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\cmdkey.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\help.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\logman.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\proquota.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\regedt32.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\wecutil.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\runas.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\TCPSVCS.EXE	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\mountvol.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\net1.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\RdpSaProxy.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\ddodiag.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\MuiUnattend.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\PickerHost.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp_isv.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\AtBroker.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\dllhst3g.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\dpapimig.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\regsvr32.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\print.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\where.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\netiougc.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\odbcconf.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\perfmon.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\InputSwitchToastHandler.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\psr.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\taskkill.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\SysWOW64\Windows.WARP.JITService.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\HelpPane.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\hh.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\notepad.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\splwow64.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\winhlp32.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\write.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\bfsvc.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
File opened for modification	C:\Windows\explorer.exe	a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe

C:\Users\Admin\AppData\Local\Temp\a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe
"C:\Users\Admin\AppData\Local\Temp\a1b0c167b517be5738c7722d858a870a28958367d4c270f143d43bad3ec993c2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4976-132-0x0000000001000000-0x0000000001015B00-memory.dmp

Filesize
86KB

Download
memory/4976-133-0x0000000001000000-0x0000000001015B00-memory.dmp

Filesize
86KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads