1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383.exe
Size

28KB
MD5

53704532c23ac0a4b168990a4e6dca2e
SHA1

5ca1810a3bcce99e1392dfbb7b6a70f138f57dac
SHA256

1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383
SHA512

d34e2c1a224c57dabf561cd19abb414db26fd7835f5f3bc8f5b6a7d1b46077d0a29191c99178d8738417165928050fa9bb0489efec7fef7227ed24c5a949b179
SSDEEP

768:zM5apUfdlTOyxTo3TKhN/I55gM/hrwTf:ziSyJyWw55gOhk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3868	ewayws.exe
3776	hrl7630.tmp

Loads dropped DLL 1 IoCs

pid	Process
3868	ewayws.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewayws.exe	1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383.exe
File opened for modification	C:\Windows\SysWOW64\ewayws.exe	1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383.exe
File created	C:\Windows\SysWOW64\hra8.dll	ewayws.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	808	1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 1416	808	1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383.exe	81
PID 808 wrote to memory of 1416	808	1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383.exe	81
PID 808 wrote to memory of 1416	808	1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383.exe	81
PID 3868 wrote to memory of 3776	3868	ewayws.exe	82
PID 3868 wrote to memory of 3776	3868	ewayws.exe	82
PID 3868 wrote to memory of 3776	3868	ewayws.exe	82

C:\Users\Admin\AppData\Local\Temp\1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383.exe
"C:\Users\Admin\AppData\Local\Temp\1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1CFA54~1.EXE > nul
  2⤵
  PID:1416

C:\Windows\SysWOW64\ewayws.exe
C:\Windows\SysWOW64\ewayws.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\TEMP\hrl7630.tmp
  C:\Windows\TEMP\hrl7630.tmp
  2⤵
  - Executes dropped EXE
  PID:3776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ewayws.exe

Filesize
28KB

MD5
53704532c23ac0a4b168990a4e6dca2e

SHA1
5ca1810a3bcce99e1392dfbb7b6a70f138f57dac

SHA256
1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383

SHA512
d34e2c1a224c57dabf561cd19abb414db26fd7835f5f3bc8f5b6a7d1b46077d0a29191c99178d8738417165928050fa9bb0489efec7fef7227ed24c5a949b179

Download Submit
C:\Windows\SysWOW64\ewayws.exe

Filesize
28KB

MD5
53704532c23ac0a4b168990a4e6dca2e

SHA1
5ca1810a3bcce99e1392dfbb7b6a70f138f57dac

SHA256
1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383

SHA512
d34e2c1a224c57dabf561cd19abb414db26fd7835f5f3bc8f5b6a7d1b46077d0a29191c99178d8738417165928050fa9bb0489efec7fef7227ed24c5a949b179

Download Submit
C:\Windows\SysWOW64\hra8.dll

Filesize
37KB

MD5
20de8e7bc0b84f2c9d5ecfa78cb46fda

SHA1
887860c5bc9972e11fa58fb1710a12dab08362f0

SHA256
9f06830967d45dea20255b1febcb1e1c7e2219d719cf7be037f74f81531980a5

SHA512
1f6fdddde85235d45785c9865411b40427cd592ff39b582983eeecd2cdb26621d142f62b8a8a492d6d279ba54b1b2692d7effd42ec8c74832f8a2ec65043e5e8

Download Submit
C:\Windows\TEMP\hrl7630.tmp

Filesize
28KB

MD5
53704532c23ac0a4b168990a4e6dca2e

SHA1
5ca1810a3bcce99e1392dfbb7b6a70f138f57dac

SHA256
1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383

SHA512
d34e2c1a224c57dabf561cd19abb414db26fd7835f5f3bc8f5b6a7d1b46077d0a29191c99178d8738417165928050fa9bb0489efec7fef7227ed24c5a949b179

Download Submit
C:\Windows\Temp\hrl7630.tmp

Filesize
28KB

MD5
53704532c23ac0a4b168990a4e6dca2e

SHA1
5ca1810a3bcce99e1392dfbb7b6a70f138f57dac

SHA256
1cfa54299d3be09313c74210256a97438abfd1d48834af7b04d14bd4290a8383

SHA512
d34e2c1a224c57dabf561cd19abb414db26fd7835f5f3bc8f5b6a7d1b46077d0a29191c99178d8738417165928050fa9bb0489efec7fef7227ed24c5a949b179

Download Submit