f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94

Analysis

max time kernel
189s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 08:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe
Size

356KB
MD5

22f2e0904bae1e4c047fa3d24ba9549f
SHA1

7156b78f01ecb7ac752ba901b6a094f7f4004886
SHA256

f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94
SHA512

e2c172331ac37440db39a4f5ef70391642c6c765580f355442f4ea5a5d2c91f12afb714144ba0e5209122c0b4a9a7b535bb77bb8f9b2ac7d65f28513e58f155c
SSDEEP

6144:rNEegWam3qTA8KL4SOVknLSulqgSQsJimTNjJmULUstF26mHFzAW12Ee2bOjOnWr:BEsF3qJKL4r34aUm35LUsDUzIb2rnWkM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3420	.exe
2504	.exe
4416	.exe
3116	.exe
1184	.exe
4200	.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\.exe	.exe
File opened for modification	C:\Windows\SysWOW64\.exe	.exe
File created	C:\Windows\SysWOW64\.exe	.exe
File created	C:\Windows\SysWOW64\.exe	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe
File opened for modification	C:\Windows\SysWOW64\.exe	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe
File opened for modification	C:\Windows\SysWOW64\.exe	.exe
File opened for modification	C:\Windows\SysWOW64\.exe	.exe
File created	C:\Windows\SysWOW64\.exe	.exe
File opened for modification	C:\Windows\SysWOW64\.exe	.exe
File created	C:\Windows\SysWOW64\.exe	.exe
File opened for modification	C:\Windows\SysWOW64\.exe	.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 3468	4028	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	84
PID 3420 set thread context of 2504	3420	.exe	89
PID 4416 set thread context of 3116	4416	.exe	97
PID 1184 set thread context of 4200	1184	.exe	101

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4028	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe
3420	.exe
4416	.exe
1184	.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 3468	4028	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	84
PID 4028 wrote to memory of 3468	4028	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	84
PID 4028 wrote to memory of 3468	4028	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	84
PID 4028 wrote to memory of 3468	4028	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	84
PID 4028 wrote to memory of 3468	4028	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	84
PID 4028 wrote to memory of 3468	4028	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	84
PID 4028 wrote to memory of 3468	4028	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	84
PID 4028 wrote to memory of 3468	4028	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	84
PID 4028 wrote to memory of 3468	4028	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	84
PID 4028 wrote to memory of 3468	4028	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	84
PID 3468 wrote to memory of 3420	3468	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	88
PID 3468 wrote to memory of 3420	3468	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	88
PID 3468 wrote to memory of 3420	3468	f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe	88
PID 3420 wrote to memory of 2504	3420	.exe	89
PID 3420 wrote to memory of 2504	3420	.exe	89
PID 3420 wrote to memory of 2504	3420	.exe	89
PID 3420 wrote to memory of 2504	3420	.exe	89
PID 3420 wrote to memory of 2504	3420	.exe	89
PID 3420 wrote to memory of 2504	3420	.exe	89
PID 3420 wrote to memory of 2504	3420	.exe	89
PID 3420 wrote to memory of 2504	3420	.exe	89
PID 3420 wrote to memory of 2504	3420	.exe	89
PID 3420 wrote to memory of 2504	3420	.exe	89
PID 2504 wrote to memory of 4416	2504	.exe	96
PID 2504 wrote to memory of 4416	2504	.exe	96
PID 2504 wrote to memory of 4416	2504	.exe	96
PID 4416 wrote to memory of 3116	4416	.exe	97
PID 4416 wrote to memory of 3116	4416	.exe	97
PID 4416 wrote to memory of 3116	4416	.exe	97
PID 4416 wrote to memory of 3116	4416	.exe	97
PID 4416 wrote to memory of 3116	4416	.exe	97
PID 4416 wrote to memory of 3116	4416	.exe	97
PID 4416 wrote to memory of 3116	4416	.exe	97
PID 4416 wrote to memory of 3116	4416	.exe	97
PID 4416 wrote to memory of 3116	4416	.exe	97
PID 4416 wrote to memory of 3116	4416	.exe	97
PID 3116 wrote to memory of 1184	3116	.exe	99
PID 3116 wrote to memory of 1184	3116	.exe	99
PID 3116 wrote to memory of 1184	3116	.exe	99
PID 1184 wrote to memory of 4200	1184	.exe	101
PID 1184 wrote to memory of 4200	1184	.exe	101
PID 1184 wrote to memory of 4200	1184	.exe	101
PID 1184 wrote to memory of 4200	1184	.exe	101
PID 1184 wrote to memory of 4200	1184	.exe	101
PID 1184 wrote to memory of 4200	1184	.exe	101
PID 1184 wrote to memory of 4200	1184	.exe	101
PID 1184 wrote to memory of 4200	1184	.exe	101
PID 1184 wrote to memory of 4200	1184	.exe	101
PID 1184 wrote to memory of 4200	1184	.exe	101

C:\Users\Admin\AppData\Local\Temp\f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe
"C:\Users\Admin\AppData\Local\Temp\f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe
  "C:\Users\Admin\AppData\Local\Temp\f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\SysWOW64\.exe
    C:\Windows\system32\.exe 1120 "C:\Users\Admin\AppData\Local\Temp\f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\SysWOW64\.exe
      "C:\Windows\SysWOW64\.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe 1148 "C:\Windows\SysWOW64\.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4416
      - C:\Windows\SysWOW64\.exe
        
        "C:\Windows\SysWOW64\.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\.exe
        
        C:\Windows\system32\.exe 1092 "C:\Windows\SysWOW64\.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\.exe
        
        "C:\Windows\SysWOW64\.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\.exe

Filesize
356KB

MD5
22f2e0904bae1e4c047fa3d24ba9549f

SHA1
7156b78f01ecb7ac752ba901b6a094f7f4004886

SHA256
f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94

SHA512
e2c172331ac37440db39a4f5ef70391642c6c765580f355442f4ea5a5d2c91f12afb714144ba0e5209122c0b4a9a7b535bb77bb8f9b2ac7d65f28513e58f155c

Download Submit
C:\Windows\SysWOW64\.exe

Filesize
356KB

MD5
22f2e0904bae1e4c047fa3d24ba9549f

SHA1
7156b78f01ecb7ac752ba901b6a094f7f4004886

SHA256
f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94

SHA512
e2c172331ac37440db39a4f5ef70391642c6c765580f355442f4ea5a5d2c91f12afb714144ba0e5209122c0b4a9a7b535bb77bb8f9b2ac7d65f28513e58f155c

Download Submit
C:\Windows\SysWOW64\.exe

Filesize
356KB

MD5
22f2e0904bae1e4c047fa3d24ba9549f

SHA1
7156b78f01ecb7ac752ba901b6a094f7f4004886

SHA256
f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94

SHA512
e2c172331ac37440db39a4f5ef70391642c6c765580f355442f4ea5a5d2c91f12afb714144ba0e5209122c0b4a9a7b535bb77bb8f9b2ac7d65f28513e58f155c

Download Submit
C:\Windows\SysWOW64\.exe

Filesize
356KB

MD5
22f2e0904bae1e4c047fa3d24ba9549f

SHA1
7156b78f01ecb7ac752ba901b6a094f7f4004886

SHA256
f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94

SHA512
e2c172331ac37440db39a4f5ef70391642c6c765580f355442f4ea5a5d2c91f12afb714144ba0e5209122c0b4a9a7b535bb77bb8f9b2ac7d65f28513e58f155c

Download Submit
C:\Windows\SysWOW64\.exe

Filesize
356KB

MD5
22f2e0904bae1e4c047fa3d24ba9549f

SHA1
7156b78f01ecb7ac752ba901b6a094f7f4004886

SHA256
f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94

SHA512
e2c172331ac37440db39a4f5ef70391642c6c765580f355442f4ea5a5d2c91f12afb714144ba0e5209122c0b4a9a7b535bb77bb8f9b2ac7d65f28513e58f155c

Download Submit
C:\Windows\SysWOW64\.exe

Filesize
356KB

MD5
22f2e0904bae1e4c047fa3d24ba9549f

SHA1
7156b78f01ecb7ac752ba901b6a094f7f4004886

SHA256
f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94

SHA512
e2c172331ac37440db39a4f5ef70391642c6c765580f355442f4ea5a5d2c91f12afb714144ba0e5209122c0b4a9a7b535bb77bb8f9b2ac7d65f28513e58f155c

Download Submit
C:\Windows\SysWOW64\.exe

Filesize
356KB

MD5
22f2e0904bae1e4c047fa3d24ba9549f

SHA1
7156b78f01ecb7ac752ba901b6a094f7f4004886

SHA256
f1c226763ff66c2a5406c8f64c16a73b0adcb952164891a16f075c3f135b1a94

SHA512
e2c172331ac37440db39a4f5ef70391642c6c765580f355442f4ea5a5d2c91f12afb714144ba0e5209122c0b4a9a7b535bb77bb8f9b2ac7d65f28513e58f155c

Download Submit
memory/2504-156-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2504-150-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3116-162-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3116-161-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3468-139-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3468-151-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3468-138-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3468-137-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3468-135-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4200-172-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4200-173-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download