Overview

overview

7

Static

static

3

29aef50c7a...15.exe

windows7-x64

7

29aef50c7a...15.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    0s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 05:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29aef50c7a013e99270130d047aeed15.exe

  • Size

    23KB

  • MD5

    29aef50c7a013e99270130d047aeed15

  • SHA1

    c2aa9911c1cff4bfda04d14dca4f5f295338e7eb

  • SHA256

    e01ba8e88199648c7e2b9636cdc1398a9255296af400ec4c64b5eaf7799345e4

  • SHA512

    4600d068b5c5a312b8710b9f89540398bfce59af16bab72dd2de553775e9ade0491ca269282a89191a011d08dab2821af572eb0fd9d690b2abb875b397123a15

  • SSDEEP

    384:dBVu3GxsR8eDfbTESC+5ia02v4L0zeG52TkPn+Vsg:dBVtc5DyS7Nvi0zyM+p

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Kills process with taskkill 8 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29aef50c7a013e99270130d047aeed15.exe
    "C:\Users\Admin\AppData\Local\Temp\29aef50c7a013e99270130d047aeed15.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3872
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\29AEF5~1.EXE > nul
      2⤵
        PID:2992
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im rfwproxy.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1644
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im rfwstub.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1532
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im rfwsrv.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3780
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im rfwmain.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1112
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfwproxy.exe
      1⤵
      • Kills process with taskkill
      PID:4576
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfwmain.exe
      1⤵
      • Kills process with taskkill
      PID:4308
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfwsrv.exe
      1⤵
      • Kills process with taskkill
      PID:4552
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfwstub.exe
      1⤵
      • Kills process with taskkill
      PID:5020
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfwstub.exe
      1⤵
      • Kills process with taskkill
      PID:4008
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfwsrv.exe
      1⤵
      • Kills process with taskkill
      PID:4352
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfwproxy.exe
      1⤵
      • Kills process with taskkill
      PID:3604
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfwmain.exe
      1⤵
      • Kills process with taskkill
      PID:4300
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im rfwproxy.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1944
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im rfwstub.exe
      1⤵
        PID:4944
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im rfwsrv.exe
        1⤵
          PID:2832
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c taskkill /f /im rfwmain.exe
          1⤵
            PID:4364
          • C:\Windows\SysWOW64\iswrd.exe
            C:\Windows\SysWOW64\iswrd.exe
            1⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3920

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\iswrd.exe
            Filesize

            23KB

            MD5

            29aef50c7a013e99270130d047aeed15

            SHA1

            c2aa9911c1cff4bfda04d14dca4f5f295338e7eb

            SHA256

            e01ba8e88199648c7e2b9636cdc1398a9255296af400ec4c64b5eaf7799345e4

            SHA512

            4600d068b5c5a312b8710b9f89540398bfce59af16bab72dd2de553775e9ade0491ca269282a89191a011d08dab2821af572eb0fd9d690b2abb875b397123a15

            Download Submit