24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a

General

Target

24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
Size

190KB
MD5

478b42fc215e77e8df7f1076997cef90
SHA1

3c003a79b27d40d43bd3397899b7721362386489
SHA256

24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a
SHA512

9a333a449f5f0fc980c108965258e03ed5e474257fbfd5dc863ff1e010137e092ac74f3ce75d321e032c12ca6d4a4d0a9e0a619e37f70effcbe1bd5d8da51a68
SSDEEP

1536:hFQUNc8MvC/tLDgb0Y/fFdMi1sNiYB+7+uDhX7jquzQF4yKXMtzkIW8PQqyKUAKx:hZi8MvC4h0i1sNiYBOjKD

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

Processes:

24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\mountvol.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\sc.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\unregmp2.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\wevtutil.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\winrs.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\auditpol.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\ntkrnlpa.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\resmon.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\whoami.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\mshta.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\fsutil.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\iscsicli.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\replace.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\AdapterTroubleshooter.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\systeminfo.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\TapiUnattend.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\tcmsetup.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\w32tm.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\net.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\ReAgentc.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\SecEdit.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\syskey.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\dvdupgrd.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\mfpmp.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\reg.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\tzutil.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\wecutil.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\convert.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\ndadmin.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\recover.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\TRACERT.EXE	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\proquota.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\RegisterIEPKEYs.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\chkntfs.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\DevicePairingWizard.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\diantz.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\msfeedssync.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\net1.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\newdev.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\rdrleakdiag.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\autofmt.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\ipconfig.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\logagent.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\rrinstaller.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\verifier.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\autochk.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\user.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\write.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\rekeywiz.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\osk.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\Utilman.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\icsunattend.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\expand.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\find.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\SearchProtocolHost.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\taskeng.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe

Drops file in Windows directory 11 IoCs

Processes:

24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe

description	ioc	process
File opened for modification	C:\Windows\explorer.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\fveupdate.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\notepad.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\splwow64.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\winhlp32.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\bfsvc.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\HelpPane.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\hh.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\twunk_16.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\twunk_32.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\write.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe

C:\Users\Admin\AppData\Local\Temp\24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
"C:\Users\Admin\AppData\Local\Temp\24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:816

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/816-55-0x0000000001000000-0x0000000001032B00-memory.dmp

Filesize
202KB

Download
memory/816-56-0x0000000001000000-0x0000000001032B00-memory.dmp

Filesize
202KB

Download

Analysis

Sharing