5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a

Analysis

max time kernel
167s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe
Size

1.2MB
MD5

8a94fad07ce894522817e6d67d39166b
SHA1

38a56346a3bb405d734a85cf0eab5ba62057bf80
SHA256

5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a
SHA512

887aa39f41b67be47d51de26a1c177f4b8da558fc37c9200f6f23a6c0e9105548812a4cf5b8ded67ba4342115c673492af202ea004f5cf511416977201e4a4c8
SSDEEP

6144:SyH7xOc6H5c6HcT66vlmiQeVRsRjIoBQfTP1108+Z0VnC6Waf4zIu+L62I//ee/h:Sa1Iu308+Z0AzmNI//4qId/dGwdhI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4132	svchost.exe
1676	5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe
4912	svchost.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1676	5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe
1676	5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 4132	1852	5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe	83
PID 1852 wrote to memory of 4132	1852	5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe	83
PID 1852 wrote to memory of 4132	1852	5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe	83
PID 4132 wrote to memory of 1676	4132	svchost.exe	84
PID 4132 wrote to memory of 1676	4132	svchost.exe	84
PID 4132 wrote to memory of 1676	4132	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe
"C:\Users\Admin\AppData\Local\Temp\5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe
    "C:\Users\Admin\AppData\Local\Temp\5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1676

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5f29e4f1fa2b2a19e49637a6969a14ea2718b8f2377ffb9258652cccb305953a.exe

Filesize
1.2MB

MD5
c39c483ff2fcb2f91a1853c7a7e97c26

SHA1
3d2810df6ce3cf45f564c60b4f2a48085b008e79

SHA256
a9339e2c95e5d51a81ece911294a05a0f100728061a4adeb100dcda31c802a69

SHA512
61360fc5a76e3841295b4e8f70053110f400413bd484c6b0b0850db2d0464bfbb0bec26d0bfcaf5d83e92857bc7e730fca0b8798462ec032a21541ee52e7cd2d

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit