14e4d5e2ac95067c6c63bfbfa86f4420879bfebee3350a6151e15072df36a30c

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13344fe0ee12d5811fe3fccffa847738.exe
Size

65KB
MD5

13344fe0ee12d5811fe3fccffa847738
SHA1

492237105f015b185a4c23f726547bdf18292d38
SHA256

14e4d5e2ac95067c6c63bfbfa86f4420879bfebee3350a6151e15072df36a30c
SHA512

2da80a85665150cc4967974649b0fb8e2d16f2c86bce92d8da5d74b01f119419169dbe80cfc84ff28e031dc94c5755ece09a292f357baeb65813bbe4d84b44f1
SSDEEP

1536:h+k22j8aoEmftGkOzpMidSZWzb3mUC3dtrhpc2:h+kxj8YiOz+irb3m33dBhpc2

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File created	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File created	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File created	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File created	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File created	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File created	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File created	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File created	C:\Windows\SysWOW64\drivers\wmiadapi.exe	13344fe0ee12d5811fe3fccffa847738.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File created	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File created	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wmiadapi.exe	13344fe0ee12d5811fe3fccffa847738.exe
File created	C:\Windows\SysWOW64\drivers\wmiadapi.exe	wmiadapi.exe

Deletes itself 1 IoCs

pid	Process
2016	wmiadapi.exe

Executes dropped EXE 10 IoCs

pid	Process
2016	wmiadapi.exe
4148	wmiadapi.exe
940	wmiadapi.exe
1952	wmiadapi.exe
1628	wmiadapi.exe
4840	wmiadapi.exe
3512	wmiadapi.exe
3860	wmiadapi.exe
312	wmiadapi.exe
3288	wmiadapi.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2016	2208	13344fe0ee12d5811fe3fccffa847738.exe	90
PID 2208 wrote to memory of 2016	2208	13344fe0ee12d5811fe3fccffa847738.exe	90
PID 2208 wrote to memory of 2016	2208	13344fe0ee12d5811fe3fccffa847738.exe	90
PID 2016 wrote to memory of 4148	2016	wmiadapi.exe	96
PID 2016 wrote to memory of 4148	2016	wmiadapi.exe	96
PID 2016 wrote to memory of 4148	2016	wmiadapi.exe	96
PID 4148 wrote to memory of 940	4148	wmiadapi.exe	100
PID 4148 wrote to memory of 940	4148	wmiadapi.exe	100
PID 4148 wrote to memory of 940	4148	wmiadapi.exe	100
PID 940 wrote to memory of 1952	940	wmiadapi.exe	104
PID 940 wrote to memory of 1952	940	wmiadapi.exe	104
PID 940 wrote to memory of 1952	940	wmiadapi.exe	104
PID 1952 wrote to memory of 1628	1952	wmiadapi.exe	107
PID 1952 wrote to memory of 1628	1952	wmiadapi.exe	107
PID 1952 wrote to memory of 1628	1952	wmiadapi.exe	107
PID 1628 wrote to memory of 4840	1628	wmiadapi.exe	109
PID 1628 wrote to memory of 4840	1628	wmiadapi.exe	109
PID 1628 wrote to memory of 4840	1628	wmiadapi.exe	109
PID 4840 wrote to memory of 3512	4840	wmiadapi.exe	110
PID 4840 wrote to memory of 3512	4840	wmiadapi.exe	110
PID 4840 wrote to memory of 3512	4840	wmiadapi.exe	110
PID 3512 wrote to memory of 3860	3512	wmiadapi.exe	111
PID 3512 wrote to memory of 3860	3512	wmiadapi.exe	111
PID 3512 wrote to memory of 3860	3512	wmiadapi.exe	111
PID 3860 wrote to memory of 312	3860	wmiadapi.exe	112
PID 3860 wrote to memory of 312	3860	wmiadapi.exe	112
PID 3860 wrote to memory of 312	3860	wmiadapi.exe	112
PID 312 wrote to memory of 3288	312	wmiadapi.exe	113
PID 312 wrote to memory of 3288	312	wmiadapi.exe	113
PID 312 wrote to memory of 3288	312	wmiadapi.exe	113

C:\Users\Admin\AppData\Local\Temp\13344fe0ee12d5811fe3fccffa847738.exe
"C:\Users\Admin\AppData\Local\Temp\13344fe0ee12d5811fe3fccffa847738.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\drivers\wmiadapi.exe
  C:\Windows\system32\drivers\wmiadapi.exe 1124 "C:\Users\Admin\AppData\Local\Temp\13344fe0ee12d5811fe3fccffa847738.exe"
  2⤵
  - Drops file in Drivers directory
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\drivers\wmiadapi.exe
    C:\Windows\system32\drivers\wmiadapi.exe 1124 "C:\Windows\SysWOW64\drivers\wmiadapi.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\SysWOW64\drivers\wmiadapi.exe
      C:\Windows\system32\drivers\wmiadapi.exe 1124 "C:\Windows\SysWOW64\drivers\wmiadapi.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\drivers\wmiadapi.exe
        
        C:\Windows\system32\drivers\wmiadapi.exe 1096 "C:\Windows\SysWOW64\drivers\wmiadapi.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\SysWOW64\drivers\wmiadapi.exe
        
        C:\Windows\system32\drivers\wmiadapi.exe 1096 "C:\Windows\SysWOW64\drivers\wmiadapi.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\drivers\wmiadapi.exe
        
        C:\Windows\system32\drivers\wmiadapi.exe 1100 "C:\Windows\SysWOW64\drivers\wmiadapi.exe"
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\drivers\wmiadapi.exe
        
        C:\Windows\system32\drivers\wmiadapi.exe 1084 "C:\Windows\SysWOW64\drivers\wmiadapi.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\drivers\wmiadapi.exe
        
        C:\Windows\system32\drivers\wmiadapi.exe 1084 "C:\Windows\SysWOW64\drivers\wmiadapi.exe"
        9⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\drivers\wmiadapi.exe
        
        C:\Windows\system32\drivers\wmiadapi.exe 1096 "C:\Windows\SysWOW64\drivers\wmiadapi.exe"
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\SysWOW64\drivers\wmiadapi.exe
        
        C:\Windows\system32\drivers\wmiadapi.exe 1096 "C:\Windows\SysWOW64\drivers\wmiadapi.exe"
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\wmiadapi.exe

Filesize
65KB

MD5
13344fe0ee12d5811fe3fccffa847738

SHA1
492237105f015b185a4c23f726547bdf18292d38

SHA256
14e4d5e2ac95067c6c63bfbfa86f4420879bfebee3350a6151e15072df36a30c

SHA512
2da80a85665150cc4967974649b0fb8e2d16f2c86bce92d8da5d74b01f119419169dbe80cfc84ff28e031dc94c5755ece09a292f357baeb65813bbe4d84b44f1

Download Submit
memory/312-31-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/940-18-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/940-14-0x00000000005F0000-0x0000000000630000-memory.dmp

Filesize
256KB

Download
memory/1628-23-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1628-20-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/1952-17-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1952-21-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2016-9-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2016-12-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2016-8-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2208-10-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2208-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2208-1-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/3512-27-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3860-29-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4148-15-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4840-25-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads