b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7

Analysis

max time kernel
186s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe
Size

212KB
MD5

3aae8fe6f91e88afda17fc78a5c823d4
SHA1

0c385462c222ac33968e932c6b38311cb16b8c9f
SHA256

b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7
SHA512

79038d64ec6eec8a642ea02286eac6f2fc6d2c75ec26cfa4e671c0d00cf804f7130a46c8f0f2af8c5c4add79dba236a4ab9e44561f7f544e7841d57f2952821d
SSDEEP

6144:WQoJuNBX8yhav08vgJEnJpAq1mZLrE2buwAWL6A4p:WQrNBX8oav08vWIJp31mZrECfk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5100	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eC7KEOMudmE.exe	b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eC7KEOMudmE.exe	b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\hJOkHjGQp1Y\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu	svchost.exe
File created	C:\Windows\SysWOW64\com\svchost.exe	b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe
File opened for modification	C:\Windows\SysWOW64\com\svchost.exe	b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3708	b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe
3708	b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe
3708	b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe
5100	svchost.exe
5100	svchost.exe
5100	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3708	b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe
5100	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe
Token: SeDebugPrivilege	5100	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 5080	3708	b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe	83
PID 3708 wrote to memory of 5080	3708	b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe	83
PID 5100 wrote to memory of 1172	5100	svchost.exe	86
PID 5100 wrote to memory of 1172	5100	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe
"C:\Users\Admin\AppData\Local\Temp\b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:5080

C:\Windows\SysWOW64\com\svchost.exe
C:\Windows\SysWOW64\com\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Com\svchost.exe

Filesize
212KB

MD5
3aae8fe6f91e88afda17fc78a5c823d4

SHA1
0c385462c222ac33968e932c6b38311cb16b8c9f

SHA256
b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7

SHA512
79038d64ec6eec8a642ea02286eac6f2fc6d2c75ec26cfa4e671c0d00cf804f7130a46c8f0f2af8c5c4add79dba236a4ab9e44561f7f544e7841d57f2952821d

Download Submit
C:\Windows\SysWOW64\com\svchost.exe

Filesize
212KB

MD5
3aae8fe6f91e88afda17fc78a5c823d4

SHA1
0c385462c222ac33968e932c6b38311cb16b8c9f

SHA256
b229218398d100599a9d9a210db3b86922539168991e3ea1b3a6461bea7da5b7

SHA512
79038d64ec6eec8a642ea02286eac6f2fc6d2c75ec26cfa4e671c0d00cf804f7130a46c8f0f2af8c5c4add79dba236a4ab9e44561f7f544e7841d57f2952821d

Download Submit
memory/3708-137-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3708-134-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3708-133-0x00000000005D0000-0x0000000000642000-memory.dmp

Filesize
456KB

Download
memory/3708-138-0x00000000005D0000-0x0000000000642000-memory.dmp

Filesize
456KB

Download
memory/3708-132-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3708-142-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5100-139-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5100-140-0x00000000013A0000-0x0000000001412000-memory.dmp

Filesize
456KB

Download
memory/5100-141-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5100-143-0x00000000013A0000-0x0000000001412000-memory.dmp

Filesize
456KB

Download
memory/5100-144-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download