24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a

General

Target

24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
Size

190KB
MD5

478b42fc215e77e8df7f1076997cef90
SHA1

3c003a79b27d40d43bd3397899b7721362386489
SHA256

24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a
SHA512

9a333a449f5f0fc980c108965258e03ed5e474257fbfd5dc863ff1e010137e092ac74f3ce75d321e032c12ca6d4a4d0a9e0a619e37f70effcbe1bd5d8da51a68
SSDEEP

1536:hFQUNc8MvC/tLDgb0Y/fFdMi1sNiYB+7+uDhX7jquzQF4yKXMtzkIW8PQqyKUAKx:hZi8MvC4h0i1sNiYBOjKD

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

Processes:

24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\driverquery.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\getmac.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\Fondue.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\OposHost.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\tcmsetup.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\wscadminui.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\wextract.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\lodctr.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\MuiUnattend.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\PING.EXE	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\credwiz.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\DpiScaling.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\hdwwiz.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\netiougc.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\regsvr32.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\secinit.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\wusa.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\curl.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\forfiles.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\subst.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\winrs.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\cmdkey.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\cmdl32.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\setupugc.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\logman.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\print.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\poqexec.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\regini.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\Robocopy.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\comp.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\odbcconf.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\control.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\netsh.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\GamePanel.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\calc.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\findstr.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\compact.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\icacls.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\Netplwiz.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\whoami.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\certutil.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\fontdrvhost.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\rasphone.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\RmClient.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\SyncHost.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\CameraSettingsUIHost.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\netbtugc.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\GameBarPresenceWriter.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\auditpol.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\fontview.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\SysWOW64\psr.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe

Drops file in Windows directory 8 IoCs

Processes:

24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe

description	ioc	process
File opened for modification	C:\Windows\winhlp32.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\write.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\bfsvc.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\explorer.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\HelpPane.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\hh.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\notepad.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
File opened for modification	C:\Windows\splwow64.exe	24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe

C:\Users\Admin\AppData\Local\Temp\24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe
"C:\Users\Admin\AppData\Local\Temp\24548b92ec4f70b65e0ae9e2c3639305f78f057166c897a5da60e04dd0e7932a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4308-132-0x0000000001000000-0x0000000001032B00-memory.dmp

Filesize
202KB

Download
memory/4308-133-0x0000000001000000-0x0000000001032B00-memory.dmp

Filesize
202KB

Download

Analysis

Sharing