Analysis
-
max time kernel
0s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
06/01/2024, 00:21
General
-
Target
44cf4281ecd990bdbfe4a443418ee45e.exe
-
Size
20KB
-
MD5
44cf4281ecd990bdbfe4a443418ee45e
-
SHA1
141065ff641584a2c22abbb4663e654466ee5460
-
SHA256
39c1452e1b81774df4709ace2a464dd98ed1aac7b912279223f222b89763fd92
-
SHA512
3c933e6bea0271ba8f4794b02a07cb412717b6e5ff0fa7f590c5b2ed2738c87ad2491faae1956f097fb3365122ed630e6f56db2693c25529e70e60b12f9bac75
-
SSDEEP
384:qsmVL3GIKe2P12MF7ZGU6RlA66lvV4yqkhaQYIg:qvVjG2ZU5lN4yFaLH
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Kills process with taskkill 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\44cf4281ecd990bdbfe4a443418ee45e.exe"C:\Users\Admin\AppData\Local\Temp\44cf4281ecd990bdbfe4a443418ee45e.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\44CF42~1.EXE > nul2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwproxy.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwstub.exe2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwsrv.exe2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwmain.exe2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im 360tray.exe2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwmain.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwproxy.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwproxy.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwstub.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwsrv.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im 360tray.exe1⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwsrv.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwstub.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfwmain.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwproxy.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwstub.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwsrv.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im rfwmain.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im 360tray.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tago.exeC:\Windows\SysWOW64\tago.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im 360tray.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im 360tray.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im 360tray.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im 360tray.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im 360tray.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im 360tray.exe2⤵
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 3905895f591409d6a11d52b3cd9a788e QxvjAC1GY0q32RgPEpoTig.0.1.0.0.01⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe1⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe1⤵
- Kills process with taskkill
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD544cf4281ecd990bdbfe4a443418ee45e
SHA1141065ff641584a2c22abbb4663e654466ee5460
SHA25639c1452e1b81774df4709ace2a464dd98ed1aac7b912279223f222b89763fd92
SHA5123c933e6bea0271ba8f4794b02a07cb412717b6e5ff0fa7f590c5b2ed2738c87ad2491faae1956f097fb3365122ed630e6f56db2693c25529e70e60b12f9bac75