024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
Size

564KB
MD5

1daec6e7ecfdd9f70e573e34ca1f3a60
SHA1

223b05cc891d12cde63bd4e0a82cbf0cc7418e07
SHA256

024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410
SHA512

43e7d4a1cd0a1cc792d1661f4c68808a48cdfceee29e3f32cc516bb942d026147d28ee554dd9dd9e7f59e460519d3d77cb354bbbad6ae18d22f77532bd776d07
SSDEEP

12288:qhYsdJuKpYFIuKpYFwEzsBwIfMjkfTJq4L0en:qhZJuKuFIuKuFwlBNfMjkbV0e

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
File created	C:\Windows\Dll.dll	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4344	4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe	82
PID 4904 wrote to memory of 4344	4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe	82
PID 4904 wrote to memory of 4344	4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe	82
PID 4344 wrote to memory of 4892	4344	net.exe	84
PID 4344 wrote to memory of 4892	4344	net.exe	84
PID 4344 wrote to memory of 4892	4344	net.exe	84
PID 4904 wrote to memory of 4832	4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe	85
PID 4904 wrote to memory of 4832	4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe	85
PID 4904 wrote to memory of 4832	4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe	85
PID 4832 wrote to memory of 4532	4832	net.exe	87
PID 4832 wrote to memory of 4532	4832	net.exe	87
PID 4832 wrote to memory of 4532	4832	net.exe	87
PID 4904 wrote to memory of 2416	4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe	59
PID 4904 wrote to memory of 2416	4904	024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe	59

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe
  "C:\Users\Admin\AppData\Local\Temp\024164a90b5e845af2443e3d4919b1ed93087c14757bd035cd37881775ffd410.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4892
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4904-132-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4904-137-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download