d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d

Analysis

max time kernel
79s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe
Size

126KB
MD5

2dac2508b6f7e0f5bca4d02b2f283ccb
SHA1

c43fab2bbbb19987982316a75df09550849dc7e8
SHA256

d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d
SHA512

0c2c9d153833749a45a4276f72ba6d523737d19b78d165c75c43e853c7601e4af9f11192c19f65b020ae70c469bb20e74fa9aec3cab0c94f19b0cce12a09c87b
SSDEEP

3072:XxrOcmWIocP+OPck3oa/6vc+L4elLV2raUcZS2gfMXLix0:N5mWVcRPckr6E+3fKXcZS2m23

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1144	System64.exe
1812	System64.exe

Deletes itself 1 IoCs

pid	Process
856	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System64.exe	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe
File opened for modification	C:\Windows\SysWOW64\System64.exe	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe
File created	C:\Windows\SysWOW64\KMe.bat	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 1284	1768	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe	27
PID 1144 set thread context of 1812	1144	System64.exe	29
PID 1812 set thread context of 516	1812	System64.exe	32

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1812	System64.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1284	1768	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe	27
PID 1768 wrote to memory of 1284	1768	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe	27
PID 1768 wrote to memory of 1284	1768	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe	27
PID 1768 wrote to memory of 1284	1768	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe	27
PID 1768 wrote to memory of 1284	1768	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe	27
PID 1768 wrote to memory of 1284	1768	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe	27
PID 1144 wrote to memory of 1812	1144	System64.exe	29
PID 1144 wrote to memory of 1812	1144	System64.exe	29
PID 1144 wrote to memory of 1812	1144	System64.exe	29
PID 1144 wrote to memory of 1812	1144	System64.exe	29
PID 1144 wrote to memory of 1812	1144	System64.exe	29
PID 1144 wrote to memory of 1812	1144	System64.exe	29
PID 1284 wrote to memory of 856	1284	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe	30
PID 1284 wrote to memory of 856	1284	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe	30
PID 1284 wrote to memory of 856	1284	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe	30
PID 1284 wrote to memory of 856	1284	d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe	30
PID 1812 wrote to memory of 516	1812	System64.exe	32
PID 1812 wrote to memory of 516	1812	System64.exe	32
PID 1812 wrote to memory of 516	1812	System64.exe	32
PID 1812 wrote to memory of 516	1812	System64.exe	32
PID 1812 wrote to memory of 516	1812	System64.exe	32
PID 1812 wrote to memory of 516	1812	System64.exe	32
PID 1812 wrote to memory of 516	1812	System64.exe	32
PID 1812 wrote to memory of 516	1812	System64.exe	32
PID 1812 wrote to memory of 516	1812	System64.exe	32
PID 1812 wrote to memory of 516	1812	System64.exe	32
PID 1812 wrote to memory of 516	1812	System64.exe	32

C:\Users\Admin\AppData\Local\Temp\d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe
"C:\Users\Admin\AppData\Local\Temp\d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe
  C:\Users\Admin\AppData\Local\Temp\d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\KMe.bat
    3⤵
    - Deletes itself
    PID:856

C:\Windows\SysWOW64\System64.exe
C:\Windows\SysWOW64\System64.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\System64.exe
  C:\Windows\SysWOW64\System64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\userinit.exe
    "C:\Windows\system32\userinit.exe"
    3⤵
    PID:516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KMe.bat

Filesize
118B

MD5
3ef6da8fe59b6c181392e3a79092ce6a

SHA1
62639937bfae8c578397be8d2d3ca6af8b983ca9

SHA256
f47a21b186b1a22f281da857fb95e26e0c6eb78cad2b58888c662b4159c413d7

SHA512
3b82ff89460bfbc80e2a21bc63609c1323c0492da391b98125150e437dd263c0711dc054d0fc0898741efddce2686f9e1ed6b57556f390e57a7d1a4ea9e47453

Download Submit
C:\Windows\SysWOW64\System64.exe

Filesize
126KB

MD5
2dac2508b6f7e0f5bca4d02b2f283ccb

SHA1
c43fab2bbbb19987982316a75df09550849dc7e8

SHA256
d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d

SHA512
0c2c9d153833749a45a4276f72ba6d523737d19b78d165c75c43e853c7601e4af9f11192c19f65b020ae70c469bb20e74fa9aec3cab0c94f19b0cce12a09c87b

Download Submit
C:\Windows\SysWOW64\System64.exe

Filesize
126KB

MD5
2dac2508b6f7e0f5bca4d02b2f283ccb

SHA1
c43fab2bbbb19987982316a75df09550849dc7e8

SHA256
d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d

SHA512
0c2c9d153833749a45a4276f72ba6d523737d19b78d165c75c43e853c7601e4af9f11192c19f65b020ae70c469bb20e74fa9aec3cab0c94f19b0cce12a09c87b

Download Submit
C:\Windows\SysWOW64\System64.exe

Filesize
126KB

MD5
2dac2508b6f7e0f5bca4d02b2f283ccb

SHA1
c43fab2bbbb19987982316a75df09550849dc7e8

SHA256
d085e4d76fb4f86dbb1f3d05915fd2d256e134d2d5d3a5483c900696d091498d

SHA512
0c2c9d153833749a45a4276f72ba6d523737d19b78d165c75c43e853c7601e4af9f11192c19f65b020ae70c469bb20e74fa9aec3cab0c94f19b0cce12a09c87b

Download Submit
memory/516-76-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/516-86-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/516-80-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/516-78-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/516-74-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/516-75-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1284-60-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1284-73-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1284-61-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1284-54-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1284-59-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1284-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1284-58-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1812-84-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1812-89-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download