5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d

Analysis

max time kernel
91s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe
Size

135KB
MD5

44cbc1ed36cb339c49d4131375e74060
SHA1

995760e4b37878dbe496219a48b1f1e073468159
SHA256

5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d
SHA512

a8d82c8abfec9cc5a19196f0af1da94e6399d3e53882ef1f8b6ca0d9e9af721e4f32da99b9b335073088423d2f06f3dffc628dc9c5ca7b88c53d6709ae999b33
SSDEEP

3072:XY8VKtX8vUYyKGpPLi66H50nmNJQIaK8juK2cma/rM1aout:XhSyxuzi66HOeJZatjuZcmapoS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

msprxysvc32.exe

pid process

2456 msprxysvc32.exe

pid	process
2456	msprxysvc32.exe

Drops file in System32 directory 4 IoCs

Processes:

5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exemsprxysvc32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msprxysvc32.exe	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe
File opened for modification	C:\Windows\SysWOW64\msprxysvc32.exe	msprxysvc32.exe
File created	C:\Windows\SysWOW64\msprxysvc32.exe	msprxysvc32.exe
File created	C:\Windows\SysWOW64\msprxysvc32.exe	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exemsprxysvc32.exe

description	pid	process	target process
PID 2680 wrote to memory of 2456	2680	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe	msprxysvc32.exe
PID 2680 wrote to memory of 2456	2680	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe	msprxysvc32.exe
PID 2680 wrote to memory of 2456	2680	5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe	msprxysvc32.exe
PID 2456 wrote to memory of 1808	2456	msprxysvc32.exe	cmd.exe
PID 2456 wrote to memory of 1808	2456	msprxysvc32.exe	cmd.exe
PID 2456 wrote to memory of 1808	2456	msprxysvc32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe
"C:\Users\Admin\AppData\Local\Temp\5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\msprxysvc32.exe
C:\Windows\system32\msprxysvc32.exe 1148 "C:\Users\Admin\AppData\Local\Temp\5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat C:\Windows\SysWOW64\msprxysvc32.exe
3⤵
PID:1808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat
Filesize
136B

MD5
bfcf9cc6d1c37953dfa43312e2c36140

SHA1
07a4c0f29b282c34be24c312c4b920e479f4cee0

SHA256
bac7cce52aeba3a2e2ce2bb6aebf50ffa65530d0d51ca49a2abc7f4e43ce3ce5

SHA512
fb661474557e7168d4050607863b57649fa12a26ab9bd06078ae3254d003d76cfed4eac3d0a78a56eaf0ecc5b231d52788b6c8688cb14b0c86a37efe90f5f53a

Download Submit
C:\Windows\SysWOW64\msprxysvc32.exe
Filesize
135KB

MD5
44cbc1ed36cb339c49d4131375e74060

SHA1
995760e4b37878dbe496219a48b1f1e073468159

SHA256
5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d

SHA512
a8d82c8abfec9cc5a19196f0af1da94e6399d3e53882ef1f8b6ca0d9e9af721e4f32da99b9b335073088423d2f06f3dffc628dc9c5ca7b88c53d6709ae999b33

Download Submit
C:\Windows\SysWOW64\msprxysvc32.exe
Filesize
135KB

MD5
44cbc1ed36cb339c49d4131375e74060

SHA1
995760e4b37878dbe496219a48b1f1e073468159

SHA256
5d90d58a2bcafed9f24d6af70b74f55dc08db3d6efac0a002c05038b19d52f4d

SHA512
a8d82c8abfec9cc5a19196f0af1da94e6399d3e53882ef1f8b6ca0d9e9af721e4f32da99b9b335073088423d2f06f3dffc628dc9c5ca7b88c53d6709ae999b33

Download Submit
memory/1808-138-0x0000000000000000-mapping.dmp

Download
memory/2456-133-0x0000000000000000-mapping.dmp

Download
memory/2456-136-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2456-139-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2680-132-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2680-137-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download