dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3

Analysis

max time kernel
2s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe
Size

2.2MB
MD5

acf5f84bef5a19b428e14394c4cb813a
SHA1

c6809d2ea06263104d05fa21414343020794f509
SHA256

dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3
SHA512

73b638e30773fb60d0a4a8b06827f773c3e97289f6ed280bc332c288f41f9583df077620f0ab9585a87defbeb6be1f5e4f45583dab66be16a070d1d6773208fb
SSDEEP

24576:mRYsKMIZpeBAQMt933T0vOYdeBmyMhBMAcWBs1CEbAJFiJsrLPcwtOAPtinu7vgE:pvVL5QTNkgwqvVnETVYp

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\suchost.exe	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe
File created	C:\Windows\SysWOW64\drivers\suchost.exe	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe

Executes dropped EXE 1 IoCs

pid	Process
2044	suchost.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe
1736	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1736	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe
2044	suchost.exe
2044	suchost.exe
2044	suchost.exe
2044	suchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2040	1736	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	28
PID 1736 wrote to memory of 2040	1736	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	28
PID 1736 wrote to memory of 2040	1736	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	28
PID 1736 wrote to memory of 2040	1736	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	28
PID 1736 wrote to memory of 2044	1736	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	30
PID 1736 wrote to memory of 2044	1736	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	30
PID 1736 wrote to memory of 2044	1736	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	30
PID 1736 wrote to memory of 2044	1736	dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe	30

C:\Users\Admin\AppData\Local\Temp\dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe
"C:\Users\Admin\AppData\Local\Temp\dfefc21349b3e3e00751a39857f9dc7c3831f6a17e7880c41d5c68f1614673a3.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\85$$.bat
  2⤵
  - Deletes itself
  PID:2040
- C:\Windows\SysWOW64\drivers\suchost.exe
  C:\Windows\system32\drivers\suchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\85$$.bat

Filesize
677B

MD5
5a4c85905d40178b4cd879e61771051b

SHA1
a29ca1ce69e077ea095686abb2273144c3406d81

SHA256
946a06e5a6d5a18134fb9eb85cdf899772c455fbaf11267cc4f17b2cd67909e9

SHA512
c3730af71f7af53fef8cf2ca28f3928590de6466293dfdae5b5c91a08f5682a325d072a07136863cdff39064c816fb0c424a43c7d99dbca8c7c31b60df1df96f

Download Submit
C:\Windows\SysWOW64\drivers\suchost.exe

Filesize
209KB

MD5
23fb3e17eb83d00c6dd806ee7341fcc8

SHA1
4df23ac55c064c04b9f5dad87b92bfe3d5686afc

SHA256
949f5489f9ee0d06cb743404ccebe609064bc6867a314528c2868620f6ea0a12

SHA512
a504cf1c0546af52ce5ca6040230ea48bf181f68e572cf8e66cdec5186aa55d8a650d7a6275311e0dd9e9c4a98cf485afd21b22cf69286e5fd1576fb4250f2d3

Download Submit
C:\Windows\SysWOW64\drivers\suchost.exe

Filesize
209KB

MD5
23fb3e17eb83d00c6dd806ee7341fcc8

SHA1
4df23ac55c064c04b9f5dad87b92bfe3d5686afc

SHA256
949f5489f9ee0d06cb743404ccebe609064bc6867a314528c2868620f6ea0a12

SHA512
a504cf1c0546af52ce5ca6040230ea48bf181f68e572cf8e66cdec5186aa55d8a650d7a6275311e0dd9e9c4a98cf485afd21b22cf69286e5fd1576fb4250f2d3

Download Submit
\Windows\SysWOW64\drivers\suchost.exe

Filesize
209KB

MD5
23fb3e17eb83d00c6dd806ee7341fcc8

SHA1
4df23ac55c064c04b9f5dad87b92bfe3d5686afc

SHA256
949f5489f9ee0d06cb743404ccebe609064bc6867a314528c2868620f6ea0a12

SHA512
a504cf1c0546af52ce5ca6040230ea48bf181f68e572cf8e66cdec5186aa55d8a650d7a6275311e0dd9e9c4a98cf485afd21b22cf69286e5fd1576fb4250f2d3

Download Submit
\Windows\SysWOW64\drivers\suchost.exe

Filesize
209KB

MD5
23fb3e17eb83d00c6dd806ee7341fcc8

SHA1
4df23ac55c064c04b9f5dad87b92bfe3d5686afc

SHA256
949f5489f9ee0d06cb743404ccebe609064bc6867a314528c2868620f6ea0a12

SHA512
a504cf1c0546af52ce5ca6040230ea48bf181f68e572cf8e66cdec5186aa55d8a650d7a6275311e0dd9e9c4a98cf485afd21b22cf69286e5fd1576fb4250f2d3

Download Submit
memory/1736-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download