7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7

Analysis

max time kernel
309s
max time network
333s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe
Size

460KB
MD5

a2546e26c5bf4dc5c5f3f3e173412618
SHA1

bbe054795a329a9e7bb874cd3714360d75ba7dfe
SHA256

7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7
SHA512

95bf0a97ddf141642d46a64ce79a5f599de0147fd8b9a0fc90acdf00dbf983608cd762055a425e85750f061235f6f0919393a05d90e107fe380fbc1fa3640fb0
SSDEEP

12288:gggZ8iH5Pbd3bik6cT0MPJdpY6qVD6G8Jsyq0Sy22qw4Ea3Ygsfn7nRa:++4tbipCFS6qVD6GEsyqJ14a3+n9a

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1156	waazy.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1156	waazy.exe
1156	waazy.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1156	2120	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	82
PID 2120 wrote to memory of 1156	2120	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	82
PID 2120 wrote to memory of 1156	2120	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	82
PID 1156 wrote to memory of 2748	1156	waazy.exe	18
PID 1156 wrote to memory of 2748	1156	waazy.exe	18
PID 1156 wrote to memory of 2748	1156	waazy.exe	18
PID 1156 wrote to memory of 2748	1156	waazy.exe	18
PID 1156 wrote to memory of 2748	1156	waazy.exe	18
PID 1156 wrote to memory of 2772	1156	waazy.exe	46
PID 1156 wrote to memory of 2772	1156	waazy.exe	46
PID 1156 wrote to memory of 2772	1156	waazy.exe	46
PID 1156 wrote to memory of 2772	1156	waazy.exe	46
PID 1156 wrote to memory of 2772	1156	waazy.exe	46
PID 1156 wrote to memory of 2832	1156	waazy.exe	45
PID 1156 wrote to memory of 2832	1156	waazy.exe	45
PID 1156 wrote to memory of 2832	1156	waazy.exe	45
PID 1156 wrote to memory of 2832	1156	waazy.exe	45
PID 1156 wrote to memory of 2832	1156	waazy.exe	45
PID 1156 wrote to memory of 2420	1156	waazy.exe	43
PID 1156 wrote to memory of 2420	1156	waazy.exe	43
PID 1156 wrote to memory of 2420	1156	waazy.exe	43
PID 1156 wrote to memory of 2420	1156	waazy.exe	43
PID 1156 wrote to memory of 2420	1156	waazy.exe	43
PID 1156 wrote to memory of 2816	1156	waazy.exe	42
PID 1156 wrote to memory of 2816	1156	waazy.exe	42
PID 1156 wrote to memory of 2816	1156	waazy.exe	42
PID 1156 wrote to memory of 2816	1156	waazy.exe	42
PID 1156 wrote to memory of 2816	1156	waazy.exe	42
PID 1156 wrote to memory of 3240	1156	waazy.exe	19
PID 1156 wrote to memory of 3240	1156	waazy.exe	19
PID 1156 wrote to memory of 3240	1156	waazy.exe	19
PID 1156 wrote to memory of 3240	1156	waazy.exe	19
PID 1156 wrote to memory of 3240	1156	waazy.exe	19
PID 1156 wrote to memory of 3340	1156	waazy.exe	41
PID 1156 wrote to memory of 3340	1156	waazy.exe	41
PID 1156 wrote to memory of 3340	1156	waazy.exe	41
PID 1156 wrote to memory of 3340	1156	waazy.exe	41
PID 1156 wrote to memory of 3340	1156	waazy.exe	41
PID 1156 wrote to memory of 3404	1156	waazy.exe	20
PID 1156 wrote to memory of 3404	1156	waazy.exe	20
PID 1156 wrote to memory of 3404	1156	waazy.exe	20
PID 1156 wrote to memory of 3404	1156	waazy.exe	20
PID 1156 wrote to memory of 3404	1156	waazy.exe	20
PID 1156 wrote to memory of 3496	1156	waazy.exe	40
PID 1156 wrote to memory of 3496	1156	waazy.exe	40
PID 1156 wrote to memory of 3496	1156	waazy.exe	40
PID 1156 wrote to memory of 3496	1156	waazy.exe	40
PID 1156 wrote to memory of 3496	1156	waazy.exe	40
PID 1156 wrote to memory of 3688	1156	waazy.exe	39
PID 1156 wrote to memory of 3688	1156	waazy.exe	39
PID 1156 wrote to memory of 3688	1156	waazy.exe	39
PID 1156 wrote to memory of 3688	1156	waazy.exe	39
PID 1156 wrote to memory of 3688	1156	waazy.exe	39
PID 1156 wrote to memory of 3124	1156	waazy.exe	24
PID 1156 wrote to memory of 3124	1156	waazy.exe	24
PID 1156 wrote to memory of 3124	1156	waazy.exe	24
PID 1156 wrote to memory of 3124	1156	waazy.exe	24
PID 1156 wrote to memory of 3124	1156	waazy.exe	24
PID 1156 wrote to memory of 2120	1156	waazy.exe	79
PID 1156 wrote to memory of 2120	1156	waazy.exe	79
PID 1156 wrote to memory of 2120	1156	waazy.exe	79
PID 1156 wrote to memory of 2120	1156	waazy.exe	79
PID 1156 wrote to memory of 2120	1156	waazy.exe	79

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3240

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3404

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3124

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2816

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2420
- C:\Users\Admin\AppData\Local\Temp\7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe
  "C:\Users\Admin\AppData\Local\Temp\7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Roaming\Ozbiyq\waazy.exe
    "C:\Users\Admin\AppData\Roaming\Ozbiyq\waazy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1156

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ozbiyq\waazy.exe

Filesize
460KB

MD5
072e9fa7ea8436fb4e8dade8e850ce50

SHA1
4c19135516da64435e03b8f6908e06503b31f9ce

SHA256
497f06f6bb83b2a20671a57c36f13ca470a40667f7489980e0be5293e8234609

SHA512
6bf1bad0a3685e0b9a4eb804b00ac4c758bc859c52de65751f7e0521a4b780aa0c5e4218e99a6ebedb638c8fe3999f24976fe112bdc7cc84835279e092b9b833

Download Submit
C:\Users\Admin\AppData\Roaming\Ozbiyq\waazy.exe

Filesize
460KB

MD5
072e9fa7ea8436fb4e8dade8e850ce50

SHA1
4c19135516da64435e03b8f6908e06503b31f9ce

SHA256
497f06f6bb83b2a20671a57c36f13ca470a40667f7489980e0be5293e8234609

SHA512
6bf1bad0a3685e0b9a4eb804b00ac4c758bc859c52de65751f7e0521a4b780aa0c5e4218e99a6ebedb638c8fe3999f24976fe112bdc7cc84835279e092b9b833

Download Submit
memory/1156-136-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/2120-132-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/2120-137-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2120-138-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2120-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2120-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2120-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2120-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2120-143-0x0000000000A40000-0x0000000000A89000-memory.dmp

Filesize
292KB

Download