fa750c9d360ca846ca01b8d4be5a2fcef44821e9adcef17d70cd4ba7c01fa937 | Triage

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 22:36

Sharing

Report Analysis Logs

General

Target

05cc0a7fe7b2825d08ad1b80ae31c7d9.exe
Size

228KB
MD5

05cc0a7fe7b2825d08ad1b80ae31c7d9
SHA1

978bf5cb3d2db2b8ce985d818f01632ada8d8a21
SHA256

fa750c9d360ca846ca01b8d4be5a2fcef44821e9adcef17d70cd4ba7c01fa937
SHA512

e309fd335d7bc754960aa67611c26a2fbf0add91a2a198fc9200f3ea6df98082a728ea32eed6a2ff1d59ed8c20da94291deb4fdeeff51a44514e1ce5daddfaf3
SSDEEP

3072:ezltz3sAeBzYApfertC6de8DcmzDXKdgqniBY:+la7pStC6vDcmzTTy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
860	svchost.exe
3428	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NetDebug.exe	05cc0a7fe7b2825d08ad1b80ae31c7d9.exe
File created	C:\Windows\SysWOW64\NetDebug.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\NetDebug.exe	svchost.exe
File created	C:\Windows\SysWOW64\NetDebug.exe	05cc0a7fe7b2825d08ad1b80ae31c7d9.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system\svchost.exe	05cc0a7fe7b2825d08ad1b80ae31c7d9.exe
File opened for modification	C:\Windows\system\svchost.exe	05cc0a7fe7b2825d08ad1b80ae31c7d9.exe
File created	C:\Windows\system\svchost.exe	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5044	05cc0a7fe7b2825d08ad1b80ae31c7d9.exe
860	svchost.exe
3428	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 860	5044	05cc0a7fe7b2825d08ad1b80ae31c7d9.exe	91
PID 5044 wrote to memory of 860	5044	05cc0a7fe7b2825d08ad1b80ae31c7d9.exe	91
PID 5044 wrote to memory of 860	5044	05cc0a7fe7b2825d08ad1b80ae31c7d9.exe	91
PID 860 wrote to memory of 3428	860	svchost.exe	93
PID 860 wrote to memory of 3428	860	svchost.exe	93
PID 860 wrote to memory of 3428	860	svchost.exe	93

C:\Users\Admin\AppData\Local\Temp\05cc0a7fe7b2825d08ad1b80ae31c7d9.exe
"C:\Users\Admin\AppData\Local\Temp\05cc0a7fe7b2825d08ad1b80ae31c7d9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\system\svchost.exe
  C:\Windows\system\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\system\svchost.exe
    C:\Windows\system\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\svchost.exe

Filesize
228KB

MD5
05cc0a7fe7b2825d08ad1b80ae31c7d9

SHA1
978bf5cb3d2db2b8ce985d818f01632ada8d8a21

SHA256
fa750c9d360ca846ca01b8d4be5a2fcef44821e9adcef17d70cd4ba7c01fa937

SHA512
e309fd335d7bc754960aa67611c26a2fbf0add91a2a198fc9200f3ea6df98082a728ea32eed6a2ff1d59ed8c20da94291deb4fdeeff51a44514e1ce5daddfaf3

Download Submit