c6e3b3b6d74232268e9f2ee8d9aadc93387b1d5296c030f0a6c0371e7a9012a2

General

Target

6b22b8e2128e58d1a822186cdcd77d8a.exe
Size

166KB
MD5

6b22b8e2128e58d1a822186cdcd77d8a
SHA1

40c05efd925c39d150ab1cae0a4914ec6f3d5f5d
SHA256

c6e3b3b6d74232268e9f2ee8d9aadc93387b1d5296c030f0a6c0371e7a9012a2
SHA512

aed5a47f643e0db26ac2cb8af06bef32e16a34746b1242fdd4f6a29c5913be6b3cd8b60a9421afd6624613789ece06b39cae6c1987ebd8a1529cd1e21446f9b5
SSDEEP

3072:fESYsl7/rY841j4e0QtFwAZO8i3w552WsmsvUjzH/eN6Nj0s+U21:fE6V/20eFtiAZMG2WsKf/eMNj0s+U4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2832	systemexec.exe
2672	systemexec.exe
2496	systemexec.exe

Loads dropped DLL 5 IoCs

pid	Process
400	6b22b8e2128e58d1a822186cdcd77d8a.exe
400	6b22b8e2128e58d1a822186cdcd77d8a.exe
2832	systemexec.exe
2672	systemexec.exe
2672	systemexec.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\systemexec.exe	6b22b8e2128e58d1a822186cdcd77d8a.exe
File opened for modification	C:\Windows\SysWOW64\systemexec.exe	systemexec.exe
File created	C:\Windows\SysWOW64\systemexec.exe	systemexec.exe
File created	C:\Windows\SysWOW64\systemexec.exe	6b22b8e2128e58d1a822186cdcd77d8a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2988	6b22b8e2128e58d1a822186cdcd77d8a.exe
2832	systemexec.exe
2496	systemexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 400	2988	6b22b8e2128e58d1a822186cdcd77d8a.exe	18
PID 2832 set thread context of 2672	2832	systemexec.exe	16

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 400	2988	6b22b8e2128e58d1a822186cdcd77d8a.exe	18
PID 2988 wrote to memory of 400	2988	6b22b8e2128e58d1a822186cdcd77d8a.exe	18
PID 2988 wrote to memory of 400	2988	6b22b8e2128e58d1a822186cdcd77d8a.exe	18
PID 2988 wrote to memory of 400	2988	6b22b8e2128e58d1a822186cdcd77d8a.exe	18
PID 2988 wrote to memory of 400	2988	6b22b8e2128e58d1a822186cdcd77d8a.exe	18
PID 2988 wrote to memory of 400	2988	6b22b8e2128e58d1a822186cdcd77d8a.exe	18
PID 400 wrote to memory of 2832	400	6b22b8e2128e58d1a822186cdcd77d8a.exe	17
PID 400 wrote to memory of 2832	400	6b22b8e2128e58d1a822186cdcd77d8a.exe	17
PID 400 wrote to memory of 2832	400	6b22b8e2128e58d1a822186cdcd77d8a.exe	17
PID 400 wrote to memory of 2832	400	6b22b8e2128e58d1a822186cdcd77d8a.exe	17
PID 2832 wrote to memory of 2672	2832	systemexec.exe	16
PID 2832 wrote to memory of 2672	2832	systemexec.exe	16
PID 2832 wrote to memory of 2672	2832	systemexec.exe	16
PID 2832 wrote to memory of 2672	2832	systemexec.exe	16
PID 2832 wrote to memory of 2672	2832	systemexec.exe	16
PID 2832 wrote to memory of 2672	2832	systemexec.exe	16
PID 2672 wrote to memory of 2496	2672	systemexec.exe	31
PID 2672 wrote to memory of 2496	2672	systemexec.exe	31
PID 2672 wrote to memory of 2496	2672	systemexec.exe	31
PID 2672 wrote to memory of 2496	2672	systemexec.exe	31

C:\Windows\SysWOW64\systemexec.exe
C:\Windows\SysWOW64\systemexec.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\systemexec.exe
  C:\Windows\system32\systemexec.exe 524 "C:\Windows\SysWOW64\systemexec.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2496

C:\Windows\SysWOW64\systemexec.exe
C:\Windows\system32\systemexec.exe 496 "C:\Users\Admin\AppData\Local\Temp\6b22b8e2128e58d1a822186cdcd77d8a.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\6b22b8e2128e58d1a822186cdcd77d8a.exe
C:\Users\Admin\AppData\Local\Temp\6b22b8e2128e58d1a822186cdcd77d8a.exe
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:400

C:\Users\Admin\AppData\Local\Temp\6b22b8e2128e58d1a822186cdcd77d8a.exe
"C:\Users\Admin\AppData\Local\Temp\6b22b8e2128e58d1a822186cdcd77d8a.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\systemexec.exe

Filesize
166KB

MD5
6b22b8e2128e58d1a822186cdcd77d8a

SHA1
40c05efd925c39d150ab1cae0a4914ec6f3d5f5d

SHA256
c6e3b3b6d74232268e9f2ee8d9aadc93387b1d5296c030f0a6c0371e7a9012a2

SHA512
aed5a47f643e0db26ac2cb8af06bef32e16a34746b1242fdd4f6a29c5913be6b3cd8b60a9421afd6624613789ece06b39cae6c1987ebd8a1529cd1e21446f9b5

Download Submit
memory/400-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/400-6-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/400-1-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/400-35-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/400-17-0x00000000003D0000-0x00000000003E8000-memory.dmp

Filesize
96KB

Download
memory/400-11-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/400-10-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/400-9-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2496-39-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2672-34-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2672-40-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2832-31-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2832-25-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2988-3-0x00000000005C0000-0x00000000005D8000-memory.dmp

Filesize
96KB

Download
memory/2988-7-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2988-0-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing