13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc

General

Target

13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
Size

69KB
MD5

5732c8ae08008427e81efb536e24e260
SHA1

6fab1b7b973d1e5fb96e803a640e5c1acc96cf91
SHA256

13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc
SHA512

e8995da3c4214820860424a42cbcd91d1a0acd5edaace6cd0889715973c8ccf7d690be80d6d33c9a4258f5ef5277078ba8723be1afcc2a05482c7fa161c1645f
SSDEEP

1536:Lka1259glbms205NpqRPKsxoDxb0ZsG7L:LkXnMq6KRPFqFb0ZsG7

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

Processes:

13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\net1.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\wevtutil.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\auditpol.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\certutil.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\cttunesvr.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\recover.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\tar.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\ThumbnailExtractionHost.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\waitfor.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\iscsicli.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\lodctr.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\netsh.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\Windows.WARP.JITService.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\esentutl.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\LaunchTM.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\ntprint.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\sxstrace.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\timeout.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\CheckNetIsolation.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\cmdkey.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\cttune.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\wowreg32.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\TSTheme.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\ByteCodeGenerator.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\control.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\makecab.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\convert.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\driverquery.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\unregmp2.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\cmmon32.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\iexpress.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\RdpSaUacHelper.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\mshta.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\backgroundTaskHost.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\chkntfs.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\ctfmon.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\sdchange.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\SearchFilterHost.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\gpresult.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\OposHost.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\WerFaultSecure.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\print.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\systray.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\sc.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\verifiergui.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\doskey.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\perfhost.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\regini.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\shutdown.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\SndVol.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\cipher.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\ipconfig.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe

Drops file in Windows directory 8 IoCs

Processes:

13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe

description	ioc	process
File opened for modification	C:\Windows\notepad.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\splwow64.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\winhlp32.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\write.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\bfsvc.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\explorer.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\HelpPane.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
File opened for modification	C:\Windows\hh.exe	13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe

C:\Users\Admin\AppData\Local\Temp\13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe
"C:\Users\Admin\AppData\Local\Temp\13f3aadb54003f8d2959fec43003e777bcee72f4ee968055f3ae5c5cca6bfabc.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4308-132-0x0000000001000000-0x0000000001015B00-memory.dmp

Filesize
86KB

Download
memory/4308-133-0x0000000001000000-0x0000000001015B00-memory.dmp

Filesize
86KB

Download

Analysis

Sharing