f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06

Analysis

max time kernel
196s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 08:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe
Size

180KB
MD5

702a2c24479e2833ef623c9818b8664f
SHA1

47471b5319b0f62c0a0adff0c4e97a3da04c473b
SHA256

f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06
SHA512

ffa07be16cf4911c801897fc90517b4c35b5e4c21f771c6005ac40852ae14a3d9ac092e892314103fda82dcf18a6340e00438426f23864345db1b69e60562b2d
SSDEEP

3072:OIFqz2RIy3NGzZSVZ06Cpp5Dhy6khXHOLFj:OQIy3NGzZS86CBAO

Score

1^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe
4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4960	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	85
PID 4472 wrote to memory of 4960	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	85
PID 4472 wrote to memory of 4960	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	85
PID 4472 wrote to memory of 1796	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	87
PID 4472 wrote to memory of 1796	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	87
PID 4472 wrote to memory of 1796	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	87
PID 4472 wrote to memory of 5012	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	86
PID 4472 wrote to memory of 5012	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	86
PID 4472 wrote to memory of 5012	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	86
PID 4472 wrote to memory of 952	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	91
PID 4472 wrote to memory of 952	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	91
PID 4472 wrote to memory of 952	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	91
PID 4472 wrote to memory of 3116	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	92
PID 4472 wrote to memory of 3116	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	92
PID 4472 wrote to memory of 3116	4472	f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe	92

C:\Users\Admin\AppData\Local\Temp\f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe
"C:\Users\Admin\AppData\Local\Temp\f7647602b457273d32f07512d6663aed44fe4fb9ba38fbb1027300eab5eacb06.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /a/f/q %windir%\system32\Tes*.sys
  2⤵
  PID:4960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren %windir%\system32\TesDrvPt.sys TesDrvPt%random%.sys
  2⤵
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ren %windir%\system32\TesSafe.sys TesSafe%random%.sys
  2⤵
  PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c rd /s /q 版本升级
  2⤵
  PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c rd /s /q 版本回退
  2⤵
  PID:3116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4472-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4472-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads