a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452

Analysis

max time kernel
160s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
Size

980KB
MD5

3956b4edbe6a6ff807f12ae5cbe5c189
SHA1

95717b32165cb18b5da2e5586efdd9ca3f75917f
SHA256

a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452
SHA512

ec689ae082ef64e3586fa29b08d32270bf61d7fc772c8ce40681f2384ef32ae001e0e7f23d36e996ecf8dc863df1e087bade3aa04017724117945ecd222a485c
SSDEEP

12288:uEzxgIsBVdzn7UX6JP4y99/FMHL0vHIxQuivPcwgMw:uEzxgIsBPIXJy90HYAxQbv

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3456	smsc.exe
4820	smsc.exe
4196	smsc.exe
1892	smsc.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smsc.exe	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
File opened for modification	C:\Windows\SysWOW64\smsc.exe	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
File created	C:\Windows\SysWOW64\smsc.exe	smsc.exe
File created	C:\Windows\SysWOW64\smsc.exe	smsc.exe
File created	C:\Windows\SysWOW64\smsc.exe	smsc.exe
File created	C:\Windows\SysWOW64\smsc.exe	smsc.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
3456	smsc.exe
3456	smsc.exe
3456	smsc.exe
3456	smsc.exe
3456	smsc.exe
3456	smsc.exe
3456	smsc.exe
3456	smsc.exe
3456	smsc.exe
3456	smsc.exe
3456	smsc.exe
3456	smsc.exe
4820	smsc.exe
4820	smsc.exe
4820	smsc.exe
4820	smsc.exe
4820	smsc.exe
4820	smsc.exe
4820	smsc.exe
4820	smsc.exe
4820	smsc.exe
4820	smsc.exe
4820	smsc.exe
4820	smsc.exe
4196	smsc.exe
4196	smsc.exe
4196	smsc.exe
4196	smsc.exe
4196	smsc.exe
4196	smsc.exe
4196	smsc.exe
4196	smsc.exe
4196	smsc.exe
4196	smsc.exe
4196	smsc.exe
4196	smsc.exe
1892	smsc.exe
1892	smsc.exe
1892	smsc.exe
1892	smsc.exe
1892	smsc.exe
1892	smsc.exe
1892	smsc.exe
1892	smsc.exe
1892	smsc.exe
1892	smsc.exe
1892	smsc.exe
1892	smsc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 3456	528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe	81
PID 528 wrote to memory of 3456	528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe	81
PID 528 wrote to memory of 3456	528	a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe	81
PID 3456 wrote to memory of 4820	3456	smsc.exe	82
PID 3456 wrote to memory of 4820	3456	smsc.exe	82
PID 3456 wrote to memory of 4820	3456	smsc.exe	82
PID 4820 wrote to memory of 4196	4820	smsc.exe	83
PID 4820 wrote to memory of 4196	4820	smsc.exe	83
PID 4820 wrote to memory of 4196	4820	smsc.exe	83
PID 4196 wrote to memory of 1892	4196	smsc.exe	84
PID 4196 wrote to memory of 1892	4196	smsc.exe	84
PID 4196 wrote to memory of 1892	4196	smsc.exe	84

C:\Users\Admin\AppData\Local\Temp\a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
"C:\Users\Admin\AppData\Local\Temp\a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\SysWOW64\smsc.exe
  C:\Windows\system32\smsc.exe -bai C:\Users\Admin\AppData\Local\Temp\a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\SysWOW64\smsc.exe
    C:\Windows\system32\smsc.exe -bai C:\Windows\SysWOW64\smsc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\SysWOW64\smsc.exe
      C:\Windows\system32\smsc.exe -bai C:\Windows\SysWOW64\smsc.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4196
    - - C:\Windows\SysWOW64\smsc.exe
        
        C:\Windows\system32\smsc.exe -bai C:\Windows\SysWOW64\smsc.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\smsc.exe

Filesize
980KB

MD5
3956b4edbe6a6ff807f12ae5cbe5c189

SHA1
95717b32165cb18b5da2e5586efdd9ca3f75917f

SHA256
a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452

SHA512
ec689ae082ef64e3586fa29b08d32270bf61d7fc772c8ce40681f2384ef32ae001e0e7f23d36e996ecf8dc863df1e087bade3aa04017724117945ecd222a485c

Download Submit
C:\Windows\SysWOW64\smsc.exe

Filesize
980KB

MD5
3956b4edbe6a6ff807f12ae5cbe5c189

SHA1
95717b32165cb18b5da2e5586efdd9ca3f75917f

SHA256
a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452

SHA512
ec689ae082ef64e3586fa29b08d32270bf61d7fc772c8ce40681f2384ef32ae001e0e7f23d36e996ecf8dc863df1e087bade3aa04017724117945ecd222a485c

Download Submit
C:\Windows\SysWOW64\smsc.exe

Filesize
980KB

MD5
3956b4edbe6a6ff807f12ae5cbe5c189

SHA1
95717b32165cb18b5da2e5586efdd9ca3f75917f

SHA256
a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452

SHA512
ec689ae082ef64e3586fa29b08d32270bf61d7fc772c8ce40681f2384ef32ae001e0e7f23d36e996ecf8dc863df1e087bade3aa04017724117945ecd222a485c

Download Submit
C:\Windows\SysWOW64\smsc.exe

Filesize
980KB

MD5
3956b4edbe6a6ff807f12ae5cbe5c189

SHA1
95717b32165cb18b5da2e5586efdd9ca3f75917f

SHA256
a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452

SHA512
ec689ae082ef64e3586fa29b08d32270bf61d7fc772c8ce40681f2384ef32ae001e0e7f23d36e996ecf8dc863df1e087bade3aa04017724117945ecd222a485c

Download Submit
C:\Windows\SysWOW64\smsc.exe

Filesize
980KB

MD5
3956b4edbe6a6ff807f12ae5cbe5c189

SHA1
95717b32165cb18b5da2e5586efdd9ca3f75917f

SHA256
a8928e01f20fe5af454b228e7564af7fe4425adc19f2cb6e934faddf77f9a452

SHA512
ec689ae082ef64e3586fa29b08d32270bf61d7fc772c8ce40681f2384ef32ae001e0e7f23d36e996ecf8dc863df1e087bade3aa04017724117945ecd222a485c

Download Submit
memory/528-136-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/528-132-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1892-153-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1892-152-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3456-137-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3456-138-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3456-141-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/4196-147-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/4196-148-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/4196-151-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/4820-146-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/4820-143-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/4820-142-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download