3fb8304da76e8f7ec18e83fc1c6b62609c4209ef192341c8640c678cdce6cca2

Analysis

max time kernel
76s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

077fa7813fb9293923b47d6af23b3724.exe
Size

539KB
MD5

077fa7813fb9293923b47d6af23b3724
SHA1

90c9bba41be9c4a312f7bf2ba75d2772f46f84d9
SHA256

3fb8304da76e8f7ec18e83fc1c6b62609c4209ef192341c8640c678cdce6cca2
SHA512

49186ff88ffe8303988ebc4771bd3bf8a26d1818208cab7948a54f1ec2695a25da053520e8cafa85a4f469bd989318b2fcbd46cb330ea92c3efc08c3da6b8225
SSDEEP

12288:3FwM+ImVVgvU1O+eSP9fY6GCecHDC6AL3v:3FwMpmIvU1FeSP9fYV0DC6q3v

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svdhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svdhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svdhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	077fa7813fb9293923b47d6af23b3724.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svdhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svdhost.exe

Executes dropped EXE 6 IoCs

pid	Process
5016	svdhost.exe
3496	svdhost.exe
3092	svdhost.exe
660	svdhost.exe
2944	svdhost.exe
4352	svdhost.exe

Loads dropped DLL 18 IoCs

pid	Process
5008	077fa7813fb9293923b47d6af23b3724.exe
5008	077fa7813fb9293923b47d6af23b3724.exe
5008	077fa7813fb9293923b47d6af23b3724.exe
5016	svdhost.exe
5016	svdhost.exe
5016	svdhost.exe
3496	svdhost.exe
3496	svdhost.exe
3496	svdhost.exe
3092	svdhost.exe
3092	svdhost.exe
3092	svdhost.exe
660	svdhost.exe
660	svdhost.exe
660	svdhost.exe
2944	svdhost.exe
2944	svdhost.exe
2944	svdhost.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svdhost.exe	077fa7813fb9293923b47d6af23b3724.exe
File created	C:\Windows\SysWOW64\packet.dll	svdhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	077fa7813fb9293923b47d6af23b3724.exe
File opened for modification	C:\Windows\SysWOW64\svdhost.exe	svdhost.exe
File created	C:\Windows\SysWOW64\svdhost.exe	svdhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svdhost.exe
File created	C:\Windows\SysWOW64\svdhost.exe	svdhost.exe
File opened for modification	C:\Windows\SysWOW64\svdhost.exe	svdhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svdhost.exe
File created	C:\Windows\SysWOW64\svdhost.exe	svdhost.exe
File created	C:\Windows\SysWOW64\svdhost.exe	077fa7813fb9293923b47d6af23b3724.exe
File created	C:\Windows\SysWOW64\svdhost.exe	svdhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svdhost.exe
File opened for modification	C:\Windows\SysWOW64\svdhost.exe	svdhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svdhost.exe
File opened for modification	C:\Windows\SysWOW64\svdhost.exe	svdhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svdhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svdhost.exe
File created	C:\Windows\SysWOW64\packet.dll	077fa7813fb9293923b47d6af23b3724.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svdhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svdhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svdhost.exe
File created	C:\Windows\SysWOW64\svdhost.exe	svdhost.exe
File opened for modification	C:\Windows\SysWOW64\svdhost.exe	svdhost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 5016	5008	077fa7813fb9293923b47d6af23b3724.exe	19
PID 5008 wrote to memory of 5016	5008	077fa7813fb9293923b47d6af23b3724.exe	19
PID 5008 wrote to memory of 5016	5008	077fa7813fb9293923b47d6af23b3724.exe	19
PID 5016 wrote to memory of 3496	5016	svdhost.exe	100
PID 5016 wrote to memory of 3496	5016	svdhost.exe	100
PID 5016 wrote to memory of 3496	5016	svdhost.exe	100
PID 3496 wrote to memory of 3092	3496	svdhost.exe	102
PID 3496 wrote to memory of 3092	3496	svdhost.exe	102
PID 3496 wrote to memory of 3092	3496	svdhost.exe	102
PID 3092 wrote to memory of 660	3092	svdhost.exe	105
PID 3092 wrote to memory of 660	3092	svdhost.exe	105
PID 3092 wrote to memory of 660	3092	svdhost.exe	105
PID 660 wrote to memory of 2944	660	svdhost.exe	106
PID 660 wrote to memory of 2944	660	svdhost.exe	106
PID 660 wrote to memory of 2944	660	svdhost.exe	106
PID 2944 wrote to memory of 4352	2944	svdhost.exe	108
PID 2944 wrote to memory of 4352	2944	svdhost.exe	108
PID 2944 wrote to memory of 4352	2944	svdhost.exe	108

C:\Users\Admin\AppData\Local\Temp\077fa7813fb9293923b47d6af23b3724.exe
"C:\Users\Admin\AppData\Local\Temp\077fa7813fb9293923b47d6af23b3724.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SysWOW64\svdhost.exe
  C:\Windows\system32\svdhost.exe 1180 "C:\Users\Admin\AppData\Local\Temp\077fa7813fb9293923b47d6af23b3724.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\svdhost.exe
    C:\Windows\system32\svdhost.exe 924 "C:\Windows\SysWOW64\svdhost.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\SysWOW64\svdhost.exe
      C:\Windows\system32\svdhost.exe 1152 "C:\Windows\SysWOW64\svdhost.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Windows\SysWOW64\svdhost.exe
        
        C:\Windows\system32\svdhost.exe 1148 "C:\Windows\SysWOW64\svdhost.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:660
      - C:\Windows\SysWOW64\svdhost.exe
        
        C:\Windows\system32\svdhost.exe 1144 "C:\Windows\SysWOW64\svdhost.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\svdhost.exe
        
        C:\Windows\system32\svdhost.exe 1160 "C:\Windows\SysWOW64\svdhost.exe"
        7⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\svdhost.exe
        
        C:\Windows\system32\svdhost.exe 1156 "C:\Windows\SysWOW64\svdhost.exe"
        8⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\svdhost.exe
        
        C:\Windows\system32\svdhost.exe 1176 "C:\Windows\SysWOW64\svdhost.exe"
        9⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\svdhost.exe
        
        C:\Windows\system32\svdhost.exe 1116 "C:\Windows\SysWOW64\svdhost.exe"
        10⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\svdhost.exe
        
        C:\Windows\system32\svdhost.exe 1120 "C:\Windows\SysWOW64\svdhost.exe"
        11⤵
        
        PID:4804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
3eb0beb8e318646104362537570fc6bc

SHA1
3cb48ea9073fcca5835adad307e14ebf0cfe7279

SHA256
ab3f8c80b85aae70f89c8e7919d7dd147c2bc3ec68769e0bdb05fcc4083e3643

SHA512
db5fd16749641de6282d36af7b1921f908850ece3429ffe5ad33d990431bf4990f0314d28af082394af1f4d66516d9d89806a38e2801c34b4dd1ccb69bfafe47

Download Submit
C:\Windows\SysWOW64\packet.dll

Filesize
46KB

MD5
55604efa6ad55c5c4d26f25bf22e41a5

SHA1
04878e516f142def9a313334b9ba998e86f48845

SHA256
c19179b7e43395cdd4e404d4b0c6367c3abaf513790c8e4dce2078ca3aee4fd7

SHA512
3ec54c20b139ca8897321817f442171c8cb4378989ef537479a73149e5c66082e82f8ef3f6316177b206e91405b8c1ad24e91eed56d12224e79ef3be3d2113ae

Download Submit
C:\Windows\SysWOW64\packet.dll

Filesize
3KB

MD5
fae32d2b0786808a9c1d21cebaf2fbb7

SHA1
4563af3b9036a82b16ad81133f21deca955c7c12

SHA256
9bcdc4cdc6d74353edb243e080f1670eb6a6ad5f607dbe14025e5770ae28b234

SHA512
7d1f6ef92a242d51c9fc0b3b4fad1d9555e9716c268135cb29aa1c5bebeaaf5a235aa000f6c2d3778375128f42bfe939f8d588e212fcd5c7bec0406fa1d63dd5

Download Submit
C:\Windows\SysWOW64\svdhost.exe

Filesize
76KB

MD5
668c6bf7eb72997d3e91ded28d0b5c27

SHA1
cbd6b375554863f7fd3ca2ca7ec4fc8dde723711

SHA256
a97bb62a341845e19bd4dd067a41ab74f7123482ec3128ff22c2e0135efd1780

SHA512
ff04c877594f21295c681da06efa370a05aedf847f04e7b50448b98fc97e5cc4b6d06ef3c7143b13b7af05b21f443b9850075265f8b01097fbd8a7eec754ee63

Download Submit
C:\Windows\SysWOW64\svdhost.exe

Filesize
381KB

MD5
dc1557626692854dd9989d1514f0f937

SHA1
c1b048b624ff1047b26270dfc1e544af9cb15040

SHA256
5de048f09757a2e7833a80a700b23c67ccc85c9d9772e93de98fc34959d67d30

SHA512
b33423098d861503d54f37185d8591379dbe0b58be81884c29821a4457e4381e8c62803748297085a29dac5f60fccf91bae8f6c5c32e94ebf6ff31110e662e51

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
100KB

MD5
e1389ee198cf5448de2d17548c8d9b2b

SHA1
fbae0d33d6b7144702234ad833955762aba943eb

SHA256
eca3d5e666f3abfb9080a02a9ffc12420c44b23e2003280df21da8de39a947f5

SHA512
5b77b7e6a857035eab35fad3e2916d97f62b8d3943237e22f9f3e81a9ad1683149a1131750f78d1dcb01948f314a0d0a556e58776b20cbd10688b744ca66c941

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
cb0afba4f0fb6ca2b2ea0d2c3e86b588

SHA1
2459367892e012314b451e05de1f1162448a05fa

SHA256
1b0fe60175c88f7cd3f3765b2f0f3eb1530b2e5e5b51f89a83e0322de32bdcf7

SHA512
a4e2d66af68dee67be5883c4770c1339b6be4847a993619389404af6a7ec9763361d9a14c632ca6704f63d84b05483f4bea2ec035b466fdaf03ce68c5cbca128

Download Submit
memory/660-60-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/660-52-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/660-54-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/660-67-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2944-76-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2944-68-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2944-62-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3092-44-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3092-42-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3092-50-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3092-53-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3092-59-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3388-113-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3388-106-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3388-99-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3388-100-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3496-34-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3496-38-0x0000000002CD0000-0x0000000002CE5000-memory.dmp

Filesize
84KB

Download
memory/3496-49-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3496-40-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3496-43-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3496-33-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4000-96-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4000-87-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4000-91-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4000-81-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4000-79-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4116-89-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4116-90-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4116-97-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4116-105-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4352-75-0x0000000002CE0000-0x0000000002CF5000-memory.dmp

Filesize
84KB

Download
memory/4352-71-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4352-86-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4352-80-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4352-77-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4352-70-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4804-108-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/5008-1-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/5008-10-0x0000000002E00000-0x0000000002E15000-memory.dmp

Filesize
84KB

Download
memory/5008-30-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/5008-0-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/5016-22-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/5016-31-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/5016-28-0x0000000002CC0000-0x0000000002CD5000-memory.dmp

Filesize
84KB

Download
memory/5016-39-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download