Analysis
-
max time kernel
199s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
11-02-2023 19:49
Static task
static1
Behavioral task
behavioral1
Sample
cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7.exe
Resource
win10v2004-20221111-en
General
-
Target
cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7.exe
-
Size
1.8MB
-
MD5
4fae4e3df84f89f77df25ed6e9674940
-
SHA1
720372d130c4931506ed0df1ede36dada6803f72
-
SHA256
cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7
-
SHA512
08161380459a529918a94acb6acf9d149ba1e4de0a78f90c4db32cabb54a24114d1902da57dbbe49750e61607af667c8ff851201caf42cde83f2391bca6d2c2a
-
SSDEEP
49152:diszHX1u6cLxfOEPZldmn0TAI5FWQzt+1wBcv+lRA6ZtrPt9gsjGvlaQz:EszHXM6c1dmsAIiQzt+1wmv+lRAorPLq
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
wwlib.exeWINWORD.exepid process 5084 wwlib.exe 2056 WINWORD.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wwlib.exepid process 5084 wwlib.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7.exedescription pid process target process PID 2196 wrote to memory of 5084 2196 cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7.exe wwlib.exe PID 2196 wrote to memory of 5084 2196 cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7.exe wwlib.exe PID 2196 wrote to memory of 5084 2196 cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7.exe wwlib.exe PID 2196 wrote to memory of 2056 2196 cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7.exe WINWORD.exe PID 2196 wrote to memory of 2056 2196 cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7.exe WINWORD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7.exe"C:\Users\Admin\AppData\Local\Temp\cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\test2\wwlib.exeC:\ProgramData\test2\wwlib.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\test2\WINWORD.exeC:\ProgramData\test2\WINWORD.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\test2\WINWORD.exeFilesize
142KB
MD54ff52e75438413467ddd272199e70366
SHA1b4f53f04321031ea927dbd4c52acaf3e5fc01b77
SHA256c756d4795d2a54189bc62af7df05dea22edf9c7e113550bac5e75cfdf4481306
SHA512789040e729aae68d0d9ef42918c9b0d289b80a5942d766b40f3b4a6afd48896cc3dbc69b315aaf3419ec9c252212bac38596b66e3908377f7cf754d77cfd19fb
-
C:\ProgramData\test2\WINWORD.exeFilesize
142KB
MD54ff52e75438413467ddd272199e70366
SHA1b4f53f04321031ea927dbd4c52acaf3e5fc01b77
SHA256c756d4795d2a54189bc62af7df05dea22edf9c7e113550bac5e75cfdf4481306
SHA512789040e729aae68d0d9ef42918c9b0d289b80a5942d766b40f3b4a6afd48896cc3dbc69b315aaf3419ec9c252212bac38596b66e3908377f7cf754d77cfd19fb
-
C:\ProgramData\test2\wwlib.exeFilesize
1.6MB
MD50c506cd4887583473cce3bb72614aa64
SHA17af74582a2b916855a5c6b49f32c9449dd06a614
SHA256beb1eda4c7c0ee27f1a17c8a4faae3dba515a45f6b4ef3b63079cc2de77b7112
SHA5123368ac6c7caded66e0a0d6f7e2b163b2e83801108b15bcbadf641031dbdd4a7c304a890ce504d02afb1b02fd5d80fce7f4d5c0279819714ad439fdef66dbeaa7
-
C:\ProgramData\test2\wwlib.exeFilesize
1.6MB
MD50c506cd4887583473cce3bb72614aa64
SHA17af74582a2b916855a5c6b49f32c9449dd06a614
SHA256beb1eda4c7c0ee27f1a17c8a4faae3dba515a45f6b4ef3b63079cc2de77b7112
SHA5123368ac6c7caded66e0a0d6f7e2b163b2e83801108b15bcbadf641031dbdd4a7c304a890ce504d02afb1b02fd5d80fce7f4d5c0279819714ad439fdef66dbeaa7
-
memory/2056-135-0x0000000000000000-mapping.dmp
-
memory/2056-138-0x0000000000830000-0x000000000085A000-memory.dmpFilesize
168KB
-
memory/2056-139-0x00007FFA12860000-0x00007FFA13321000-memory.dmpFilesize
10.8MB
-
memory/2056-140-0x00007FFA12860000-0x00007FFA13321000-memory.dmpFilesize
10.8MB
-
memory/5084-132-0x0000000000000000-mapping.dmp