09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f

Analysis

max time kernel
112s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f.exe
Size

135KB
MD5

454eb113b7baf3c60d1ae087060b23e0
SHA1

6a6e707dca4f7f659f25f4c158ffb38dff63fa9c
SHA256

09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f
SHA512

5fe6761172ead7e821fe80fdbc66a200ddb3947d043bd11163efe1a046f269094406c1f1463e2109c7fd317cf6bb89ca89c847f9d889e5ac0788e89b515e0d2a
SSDEEP

3072:l2Cs3JEXlIi4a+1QbteqHBggxn5Sbz6lVNgT7vnSR/Svout:ACruEe4zY56IoS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

msprxysvc32.exe

pid process

5032 msprxysvc32.exe

pid	process
5032	msprxysvc32.exe

Drops file in System32 directory 4 IoCs

Processes:

09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f.exemsprxysvc32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msprxysvc32.exe	09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f.exe
File opened for modification	C:\Windows\SysWOW64\msprxysvc32.exe	09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f.exe
File opened for modification	C:\Windows\SysWOW64\msprxysvc32.exe	msprxysvc32.exe
File created	C:\Windows\SysWOW64\msprxysvc32.exe	msprxysvc32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f.exemsprxysvc32.exe

description	pid	process	target process
PID 5036 wrote to memory of 5032	5036	09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f.exe	msprxysvc32.exe
PID 5036 wrote to memory of 5032	5036	09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f.exe	msprxysvc32.exe
PID 5036 wrote to memory of 5032	5036	09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f.exe	msprxysvc32.exe
PID 5032 wrote to memory of 5064	5032	msprxysvc32.exe	cmd.exe
PID 5032 wrote to memory of 5064	5032	msprxysvc32.exe	cmd.exe
PID 5032 wrote to memory of 5064	5032	msprxysvc32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f.exe
"C:\Users\Admin\AppData\Local\Temp\09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\msprxysvc32.exe
C:\Windows\system32\msprxysvc32.exe 1072 "C:\Users\Admin\AppData\Local\Temp\09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat C:\Windows\SysWOW64\msprxysvc32.exe
3⤵
PID:5064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
136B

MD5
bfcf9cc6d1c37953dfa43312e2c36140

SHA1
07a4c0f29b282c34be24c312c4b920e479f4cee0

SHA256
bac7cce52aeba3a2e2ce2bb6aebf50ffa65530d0d51ca49a2abc7f4e43ce3ce5

SHA512
fb661474557e7168d4050607863b57649fa12a26ab9bd06078ae3254d003d76cfed4eac3d0a78a56eaf0ecc5b231d52788b6c8688cb14b0c86a37efe90f5f53a

Download Submit
C:\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
454eb113b7baf3c60d1ae087060b23e0

SHA1
6a6e707dca4f7f659f25f4c158ffb38dff63fa9c

SHA256
09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f

SHA512
5fe6761172ead7e821fe80fdbc66a200ddb3947d043bd11163efe1a046f269094406c1f1463e2109c7fd317cf6bb89ca89c847f9d889e5ac0788e89b515e0d2a

Download Submit
C:\Windows\SysWOW64\msprxysvc32.exe

Filesize
135KB

MD5
454eb113b7baf3c60d1ae087060b23e0

SHA1
6a6e707dca4f7f659f25f4c158ffb38dff63fa9c

SHA256
09a9c82eb27fc4c2e4d3ab900c28ee8cf965a820feba038f9d35e152f20ae88f

SHA512
5fe6761172ead7e821fe80fdbc66a200ddb3947d043bd11163efe1a046f269094406c1f1463e2109c7fd317cf6bb89ca89c847f9d889e5ac0788e89b515e0d2a

Download Submit
memory/5032-133-0x0000000000000000-mapping.dmp

Download
memory/5032-137-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5032-139-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5036-132-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5036-136-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5064-138-0x0000000000000000-mapping.dmp

Download