Analysis
-
max time kernel
0s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 05:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29aef50c7a013e99270130d047aeed15.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
29aef50c7a013e99270130d047aeed15.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
29aef50c7a013e99270130d047aeed15.exe
-
Size
23KB
-
MD5
29aef50c7a013e99270130d047aeed15
-
SHA1
c2aa9911c1cff4bfda04d14dca4f5f295338e7eb
-
SHA256
e01ba8e88199648c7e2b9636cdc1398a9255296af400ec4c64b5eaf7799345e4
-
SHA512
4600d068b5c5a312b8710b9f89540398bfce59af16bab72dd2de553775e9ade0491ca269282a89191a011d08dab2821af572eb0fd9d690b2abb875b397123a15
-
SSDEEP
384:dBVu3GxsR8eDfbTESC+5ia02v4L0zeG52TkPn+Vsg:dBVtc5DyS7Nvi0zyM+p
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2944 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2772 iswrd.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\iswrd.exe 29aef50c7a013e99270130d047aeed15.exe File opened for modification C:\Windows\SysWOW64\iswrd.exe 29aef50c7a013e99270130d047aeed15.exe -
Kills process with taskkill 8 IoCs
pid Process 2784 taskkill.exe 2988 taskkill.exe 2796 taskkill.exe 2768 taskkill.exe 2096 taskkill.exe 2856 taskkill.exe 2976 taskkill.exe 2180 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2076 29aef50c7a013e99270130d047aeed15.exe 2076 29aef50c7a013e99270130d047aeed15.exe 2772 iswrd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2076 29aef50c7a013e99270130d047aeed15.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2100 2076 29aef50c7a013e99270130d047aeed15.exe 42 PID 2076 wrote to memory of 2100 2076 29aef50c7a013e99270130d047aeed15.exe 42 PID 2076 wrote to memory of 2100 2076 29aef50c7a013e99270130d047aeed15.exe 42 PID 2076 wrote to memory of 2100 2076 29aef50c7a013e99270130d047aeed15.exe 42 PID 2076 wrote to memory of 2140 2076 29aef50c7a013e99270130d047aeed15.exe 41 PID 2076 wrote to memory of 2140 2076 29aef50c7a013e99270130d047aeed15.exe 41 PID 2076 wrote to memory of 2140 2076 29aef50c7a013e99270130d047aeed15.exe 41 PID 2076 wrote to memory of 2140 2076 29aef50c7a013e99270130d047aeed15.exe 41 PID 2076 wrote to memory of 1744 2076 29aef50c7a013e99270130d047aeed15.exe 40 PID 2076 wrote to memory of 1744 2076 29aef50c7a013e99270130d047aeed15.exe 40 PID 2076 wrote to memory of 1744 2076 29aef50c7a013e99270130d047aeed15.exe 40 PID 2076 wrote to memory of 1744 2076 29aef50c7a013e99270130d047aeed15.exe 40 PID 2076 wrote to memory of 1752 2076 29aef50c7a013e99270130d047aeed15.exe 38 PID 2076 wrote to memory of 1752 2076 29aef50c7a013e99270130d047aeed15.exe 38 PID 2076 wrote to memory of 1752 2076 29aef50c7a013e99270130d047aeed15.exe 38 PID 2076 wrote to memory of 1752 2076 29aef50c7a013e99270130d047aeed15.exe 38 PID 2772 wrote to memory of 2780 2772 iswrd.exe 34 PID 2772 wrote to memory of 2780 2772 iswrd.exe 34 PID 2772 wrote to memory of 2780 2772 iswrd.exe 34 PID 2772 wrote to memory of 2780 2772 iswrd.exe 34 PID 2772 wrote to memory of 2880 2772 iswrd.exe 33 PID 2772 wrote to memory of 2880 2772 iswrd.exe 33 PID 2772 wrote to memory of 2880 2772 iswrd.exe 33 PID 2772 wrote to memory of 2880 2772 iswrd.exe 33 PID 2772 wrote to memory of 2900 2772 iswrd.exe 31 PID 2772 wrote to memory of 2900 2772 iswrd.exe 31 PID 2772 wrote to memory of 2900 2772 iswrd.exe 31 PID 2772 wrote to memory of 2900 2772 iswrd.exe 31 PID 2772 wrote to memory of 2920 2772 iswrd.exe 30 PID 2772 wrote to memory of 2920 2772 iswrd.exe 30 PID 2772 wrote to memory of 2920 2772 iswrd.exe 30 PID 2772 wrote to memory of 2920 2772 iswrd.exe 30 PID 1752 wrote to memory of 2988 1752 cmd.exe 29 PID 1752 wrote to memory of 2988 1752 cmd.exe 29 PID 1752 wrote to memory of 2988 1752 cmd.exe 29 PID 1752 wrote to memory of 2988 1752 cmd.exe 29 PID 1744 wrote to memory of 2784 1744 cmd.exe 28 PID 1744 wrote to memory of 2784 1744 cmd.exe 28 PID 1744 wrote to memory of 2784 1744 cmd.exe 28 PID 1744 wrote to memory of 2784 1744 cmd.exe 28 PID 2140 wrote to memory of 2180 2140 cmd.exe 26 PID 2140 wrote to memory of 2180 2140 cmd.exe 26 PID 2140 wrote to memory of 2180 2140 cmd.exe 26 PID 2140 wrote to memory of 2180 2140 cmd.exe 26 PID 2100 wrote to memory of 2976 2100 cmd.exe 24 PID 2100 wrote to memory of 2976 2100 cmd.exe 24 PID 2100 wrote to memory of 2976 2100 cmd.exe 24 PID 2100 wrote to memory of 2976 2100 cmd.exe 24 PID 2076 wrote to memory of 2944 2076 29aef50c7a013e99270130d047aeed15.exe 23 PID 2076 wrote to memory of 2944 2076 29aef50c7a013e99270130d047aeed15.exe 23 PID 2076 wrote to memory of 2944 2076 29aef50c7a013e99270130d047aeed15.exe 23 PID 2076 wrote to memory of 2944 2076 29aef50c7a013e99270130d047aeed15.exe 23 PID 2920 wrote to memory of 2856 2920 cmd.exe 22 PID 2920 wrote to memory of 2856 2920 cmd.exe 22 PID 2920 wrote to memory of 2856 2920 cmd.exe 22 PID 2920 wrote to memory of 2856 2920 cmd.exe 22 PID 2780 wrote to memory of 2096 2780 cmd.exe 21 PID 2780 wrote to memory of 2096 2780 cmd.exe 21 PID 2780 wrote to memory of 2096 2780 cmd.exe 21 PID 2780 wrote to memory of 2096 2780 cmd.exe 21 PID 2900 wrote to memory of 2768 2900 cmd.exe 19 PID 2900 wrote to memory of 2768 2900 cmd.exe 19 PID 2900 wrote to memory of 2768 2900 cmd.exe 19 PID 2900 wrote to memory of 2768 2900 cmd.exe 19
Processes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwsrv.exe1⤵
- Kills process with taskkill
PID:2796
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwstub.exe1⤵
- Kills process with taskkill
PID:2768
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwmain.exe1⤵
- Kills process with taskkill
PID:2096
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwproxy.exe1⤵
- Kills process with taskkill
PID:2856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\29AEF5~1.EXE > nul1⤵
- Deletes itself
PID:2944
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwmain.exe1⤵
- Kills process with taskkill
PID:2976
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwsrv.exe1⤵
- Kills process with taskkill
PID:2180
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwstub.exe1⤵
- Kills process with taskkill
PID:2784
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwproxy.exe1⤵
- Kills process with taskkill
PID:2988
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwproxy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2920
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwstub.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2900
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwsrv.exe1⤵PID:2880
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwmain.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2780
-
C:\Windows\SysWOW64\iswrd.exeC:\Windows\SysWOW64\iswrd.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwproxy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1752
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwstub.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1744
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwsrv.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2140
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwmain.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2100
-
C:\Users\Admin\AppData\Local\Temp\29aef50c7a013e99270130d047aeed15.exe"C:\Users\Admin\AppData\Local\Temp\29aef50c7a013e99270130d047aeed15.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076