6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2

Analysis

max time kernel
169s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2.exe
Size

106KB
MD5

2d4b5f6215d072e80a6003cdb93aab99
SHA1

d2f7954874849a6887504047a0c9c59bdb40b874
SHA256

6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2
SHA512

017fb4ea915f94f653050f359f3b539866007e5cf3e92dd06d9ef442a6fbbd06026cb6cfc6c3a2289ee80733c948d07f27fe243bd328b2b37836913a6fbe6175
SSDEEP

3072:A2/d+dMEQ3lovUKWEk8sCugOdhoqX0uhCJ555555:A2SMV3losj5k

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
4316	sdktemp.exe
2212	sdktemp.exe
3788	sdktemp.exe
2512	sdktemp.exe
3480	sdktemp.exe
3064	sdktemp.exe
3940	sdktemp.exe
3144	sdktemp.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File opened for modification	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File opened for modification	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File opened for modification	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File created	C:\Windows\SysWOW64\sdktemp.exe	6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2.exe
File created	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File created	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File created	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File opened for modification	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File created	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File opened for modification	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File created	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File opened for modification	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File opened for modification	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File opened for modification	C:\Windows\SysWOW64\sdktemp.exe	6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2.exe
File opened for modification	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File created	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe
File created	C:\Windows\SysWOW64\sdktemp.exe	sdktemp.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 4316	640	6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2.exe	84
PID 640 wrote to memory of 4316	640	6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2.exe	84
PID 640 wrote to memory of 4316	640	6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2.exe	84
PID 4316 wrote to memory of 2212	4316	sdktemp.exe	86
PID 4316 wrote to memory of 2212	4316	sdktemp.exe	86
PID 4316 wrote to memory of 2212	4316	sdktemp.exe	86
PID 2212 wrote to memory of 3788	2212	sdktemp.exe	87
PID 2212 wrote to memory of 3788	2212	sdktemp.exe	87
PID 2212 wrote to memory of 3788	2212	sdktemp.exe	87
PID 3788 wrote to memory of 2512	3788	sdktemp.exe	89
PID 3788 wrote to memory of 2512	3788	sdktemp.exe	89
PID 3788 wrote to memory of 2512	3788	sdktemp.exe	89
PID 2512 wrote to memory of 3480	2512	sdktemp.exe	90
PID 2512 wrote to memory of 3480	2512	sdktemp.exe	90
PID 2512 wrote to memory of 3480	2512	sdktemp.exe	90
PID 3480 wrote to memory of 3064	3480	sdktemp.exe	95
PID 3480 wrote to memory of 3064	3480	sdktemp.exe	95
PID 3480 wrote to memory of 3064	3480	sdktemp.exe	95
PID 3064 wrote to memory of 3940	3064	sdktemp.exe	97
PID 3064 wrote to memory of 3940	3064	sdktemp.exe	97
PID 3064 wrote to memory of 3940	3064	sdktemp.exe	97
PID 3940 wrote to memory of 3144	3940	sdktemp.exe	100
PID 3940 wrote to memory of 3144	3940	sdktemp.exe	100
PID 3940 wrote to memory of 3144	3940	sdktemp.exe	100

C:\Users\Admin\AppData\Local\Temp\6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2.exe
"C:\Users\Admin\AppData\Local\Temp\6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\sdktemp.exe
  C:\Windows\system32\sdktemp.exe 1152 "C:\Users\Admin\AppData\Local\Temp\6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\sdktemp.exe
    C:\Windows\system32\sdktemp.exe 1148 "C:\Windows\SysWOW64\sdktemp.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\sdktemp.exe
      C:\Windows\system32\sdktemp.exe 1128 "C:\Windows\SysWOW64\sdktemp.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Windows\SysWOW64\sdktemp.exe
        
        C:\Windows\system32\sdktemp.exe 1124 "C:\Windows\SysWOW64\sdktemp.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\SysWOW64\sdktemp.exe
        
        C:\Windows\system32\sdktemp.exe 1132 "C:\Windows\SysWOW64\sdktemp.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\sdktemp.exe
        
        C:\Windows\system32\sdktemp.exe 1136 "C:\Windows\SysWOW64\sdktemp.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\sdktemp.exe
        
        C:\Windows\system32\sdktemp.exe 1140 "C:\Windows\SysWOW64\sdktemp.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\sdktemp.exe
        
        C:\Windows\system32\sdktemp.exe 1156 "C:\Windows\SysWOW64\sdktemp.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sdktemp.exe

Filesize
106KB

MD5
2d4b5f6215d072e80a6003cdb93aab99

SHA1
d2f7954874849a6887504047a0c9c59bdb40b874

SHA256
6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2

SHA512
017fb4ea915f94f653050f359f3b539866007e5cf3e92dd06d9ef442a6fbbd06026cb6cfc6c3a2289ee80733c948d07f27fe243bd328b2b37836913a6fbe6175

Download Submit
C:\Windows\SysWOW64\sdktemp.exe

Filesize
106KB

MD5
2d4b5f6215d072e80a6003cdb93aab99

SHA1
d2f7954874849a6887504047a0c9c59bdb40b874

SHA256
6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2

SHA512
017fb4ea915f94f653050f359f3b539866007e5cf3e92dd06d9ef442a6fbbd06026cb6cfc6c3a2289ee80733c948d07f27fe243bd328b2b37836913a6fbe6175

Download Submit
C:\Windows\SysWOW64\sdktemp.exe

Filesize
106KB

MD5
2d4b5f6215d072e80a6003cdb93aab99

SHA1
d2f7954874849a6887504047a0c9c59bdb40b874

SHA256
6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2

SHA512
017fb4ea915f94f653050f359f3b539866007e5cf3e92dd06d9ef442a6fbbd06026cb6cfc6c3a2289ee80733c948d07f27fe243bd328b2b37836913a6fbe6175

Download Submit
C:\Windows\SysWOW64\sdktemp.exe

Filesize
106KB

MD5
2d4b5f6215d072e80a6003cdb93aab99

SHA1
d2f7954874849a6887504047a0c9c59bdb40b874

SHA256
6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2

SHA512
017fb4ea915f94f653050f359f3b539866007e5cf3e92dd06d9ef442a6fbbd06026cb6cfc6c3a2289ee80733c948d07f27fe243bd328b2b37836913a6fbe6175

Download Submit
C:\Windows\SysWOW64\sdktemp.exe

Filesize
106KB

MD5
2d4b5f6215d072e80a6003cdb93aab99

SHA1
d2f7954874849a6887504047a0c9c59bdb40b874

SHA256
6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2

SHA512
017fb4ea915f94f653050f359f3b539866007e5cf3e92dd06d9ef442a6fbbd06026cb6cfc6c3a2289ee80733c948d07f27fe243bd328b2b37836913a6fbe6175

Download Submit
C:\Windows\SysWOW64\sdktemp.exe

Filesize
106KB

MD5
2d4b5f6215d072e80a6003cdb93aab99

SHA1
d2f7954874849a6887504047a0c9c59bdb40b874

SHA256
6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2

SHA512
017fb4ea915f94f653050f359f3b539866007e5cf3e92dd06d9ef442a6fbbd06026cb6cfc6c3a2289ee80733c948d07f27fe243bd328b2b37836913a6fbe6175

Download Submit
C:\Windows\SysWOW64\sdktemp.exe

Filesize
106KB

MD5
2d4b5f6215d072e80a6003cdb93aab99

SHA1
d2f7954874849a6887504047a0c9c59bdb40b874

SHA256
6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2

SHA512
017fb4ea915f94f653050f359f3b539866007e5cf3e92dd06d9ef442a6fbbd06026cb6cfc6c3a2289ee80733c948d07f27fe243bd328b2b37836913a6fbe6175

Download Submit
C:\Windows\SysWOW64\sdktemp.exe

Filesize
106KB

MD5
2d4b5f6215d072e80a6003cdb93aab99

SHA1
d2f7954874849a6887504047a0c9c59bdb40b874

SHA256
6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2

SHA512
017fb4ea915f94f653050f359f3b539866007e5cf3e92dd06d9ef442a6fbbd06026cb6cfc6c3a2289ee80733c948d07f27fe243bd328b2b37836913a6fbe6175

Download Submit
C:\Windows\SysWOW64\sdktemp.exe

Filesize
106KB

MD5
2d4b5f6215d072e80a6003cdb93aab99

SHA1
d2f7954874849a6887504047a0c9c59bdb40b874

SHA256
6556bbc9e435ccf1a585ae5d200bca90f8d582794dde4b9eda8e81ae60381cf2

SHA512
017fb4ea915f94f653050f359f3b539866007e5cf3e92dd06d9ef442a6fbbd06026cb6cfc6c3a2289ee80733c948d07f27fe243bd328b2b37836913a6fbe6175

Download Submit
memory/640-133-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/640-138-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/640-132-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2212-142-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2212-143-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2512-151-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3064-159-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3144-167-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3480-155-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3788-147-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3940-163-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4316-139-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads