Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230824-en -
resource tags
arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2023, 09:23
Behavioral task
behavioral1
Sample
99f86bcc7003aa875f4a9361e9ce80e55cda8636ba74eee5b5189182543bc92f.exe
Resource
win7-20230712-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
99f86bcc7003aa875f4a9361e9ce80e55cda8636ba74eee5b5189182543bc92f.exe
Resource
win10v2004-20230824-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
99f86bcc7003aa875f4a9361e9ce80e55cda8636ba74eee5b5189182543bc92f.exe
-
Size
14KB
-
MD5
296ed392a0cb0ba2e6cffe3ca0a826ba
-
SHA1
bb77a620fc6fbefc5c16c3680f3529d170e9441d
-
SHA256
99f86bcc7003aa875f4a9361e9ce80e55cda8636ba74eee5b5189182543bc92f
-
SHA512
abda5e3a383b4ab37c8c08260fd66a40cf1d41a7335fdf6ad06ba4f30c617446cf9a3faf5b2bfe8a59f760d21060d4831fcf0596fd7746f8a15aaac5b054a0d7
-
SSDEEP
192:pXAI/HH9NCYTnkdlxgLeRii4dZj0KIbrmj090assgAV2aBqj3Q5tf/rHP+tO:Z/HH9gYTnmgLA74dZgAgI39tO
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{AF520E0B-B99D-471F-94CB-7F9BF1C8A232}.catalogItem svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2144 99f86bcc7003aa875f4a9361e9ce80e55cda8636ba74eee5b5189182543bc92f.exe 2144 99f86bcc7003aa875f4a9361e9ce80e55cda8636ba74eee5b5189182543bc92f.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2144 wrote to memory of 696 2144 99f86bcc7003aa875f4a9361e9ce80e55cda8636ba74eee5b5189182543bc92f.exe 1 PID 696 wrote to memory of 2640 696 lsass.exe 46 PID 696 wrote to memory of 4700 696 lsass.exe 84 PID 696 wrote to memory of 4700 696 lsass.exe 84 PID 696 wrote to memory of 4700 696 lsass.exe 84 PID 696 wrote to memory of 4700 696 lsass.exe 84 PID 696 wrote to memory of 4700 696 lsass.exe 84 PID 696 wrote to memory of 4700 696 lsass.exe 84 PID 696 wrote to memory of 4700 696 lsass.exe 84 PID 696 wrote to memory of 4700 696 lsass.exe 84 PID 696 wrote to memory of 4700 696 lsass.exe 84 PID 696 wrote to memory of 4700 696 lsass.exe 84 PID 696 wrote to memory of 4700 696 lsass.exe 84 PID 696 wrote to memory of 1772 696 lsass.exe 17 PID 696 wrote to memory of 1772 696 lsass.exe 17 PID 696 wrote to memory of 1772 696 lsass.exe 17 PID 696 wrote to memory of 1772 696 lsass.exe 17 PID 696 wrote to memory of 1772 696 lsass.exe 17 PID 696 wrote to memory of 1772 696 lsass.exe 17 PID 696 wrote to memory of 1772 696 lsass.exe 17 PID 696 wrote to memory of 1772 696 lsass.exe 17 PID 696 wrote to memory of 1772 696 lsass.exe 17 PID 696 wrote to memory of 1772 696 lsass.exe 17 PID 696 wrote to memory of 1772 696 lsass.exe 17 PID 696 wrote to memory of 3024 696 lsass.exe 28 PID 696 wrote to memory of 3720 696 lsass.exe 15 PID 696 wrote to memory of 3720 696 lsass.exe 15 PID 696 wrote to memory of 3720 696 lsass.exe 15 PID 696 wrote to memory of 3720 696 lsass.exe 15 PID 696 wrote to memory of 3720 696 lsass.exe 15 PID 696 wrote to memory of 3720 696 lsass.exe 15 PID 696 wrote to memory of 3720 696 lsass.exe 15 PID 696 wrote to memory of 3720 696 lsass.exe 15 PID 696 wrote to memory of 3720 696 lsass.exe 15 PID 696 wrote to memory of 3720 696 lsass.exe 15 PID 696 wrote to memory of 3720 696 lsass.exe 15 PID 696 wrote to memory of 2640 696 lsass.exe 46 PID 696 wrote to memory of 2640 696 lsass.exe 46 PID 696 wrote to memory of 2640 696 lsass.exe 46 PID 696 wrote to memory of 2640 696 lsass.exe 46 PID 696 wrote to memory of 2640 696 lsass.exe 46 PID 696 wrote to memory of 2540 696 lsass.exe 49 PID 696 wrote to memory of 2540 696 lsass.exe 49 PID 696 wrote to memory of 2540 696 lsass.exe 49 PID 696 wrote to memory of 2540 696 lsass.exe 49 PID 696 wrote to memory of 2540 696 lsass.exe 49 PID 696 wrote to memory of 2540 696 lsass.exe 49 PID 696 wrote to memory of 2540 696 lsass.exe 49 PID 696 wrote to memory of 2540 696 lsass.exe 49 PID 696 wrote to memory of 2540 696 lsass.exe 49 PID 696 wrote to memory of 2540 696 lsass.exe 49 PID 696 wrote to memory of 2540 696 lsass.exe 49
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:696
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3720
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3024
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\99f86bcc7003aa875f4a9361e9ce80e55cda8636ba74eee5b5189182543bc92f.exe"C:\Users\Admin\AppData\Local\Temp\99f86bcc7003aa875f4a9361e9ce80e55cda8636ba74eee5b5189182543bc92f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:4700