34e1162151589c11d175412c8d84666b781a66f4b9690b71574348824df5a18b

Analysis

max time kernel
137s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2024 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57cf9f8f973ff9ef8b722b45b8c60db2.exe
Size

76KB
MD5

57cf9f8f973ff9ef8b722b45b8c60db2
SHA1

0dd593a2bcd25127ed3600ab3b8bf5d2aa36b971
SHA256

34e1162151589c11d175412c8d84666b781a66f4b9690b71574348824df5a18b
SHA512

44a089f2c5a59774306415ba8db98669c00dd777a54ea0a94053d0b32326f221e6a65bea53b5c78400e0e8477c30fe382256d4e6c3901e750284f2f55e2f282c
SSDEEP

1536:IZTRuvQhDQnx15j6x+MTVqc+8f/NntAcqRSEaWEBL/:IRYvQhkv5VMTVq78NntLEaWEZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
1884	DllServ.exe
3436	DllServ.exe
1052	DllServ.exe
3432	DllServ.exe
4000	DllServ.exe
1160	DllServ.exe
2196	DllServ.exe
3188	DllServ.exe
5096	DllServ.exe
4596	DllServ.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File opened for modification	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File opened for modification	C:\Windows\SysWOW64\DllServ.exe	57cf9f8f973ff9ef8b722b45b8c60db2.exe
File opened for modification	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File opened for modification	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File opened for modification	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File created	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File opened for modification	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File created	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File created	C:\Windows\SysWOW64\DllServ.exe	57cf9f8f973ff9ef8b722b45b8c60db2.exe
File created	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File opened for modification	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File opened for modification	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File opened for modification	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File created	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File created	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File opened for modification	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File created	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File opened for modification	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File created	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File created	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe
File created	C:\Windows\SysWOW64\DllServ.exe	DllServ.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 1884	4796	57cf9f8f973ff9ef8b722b45b8c60db2.exe	89
PID 4796 wrote to memory of 1884	4796	57cf9f8f973ff9ef8b722b45b8c60db2.exe	89
PID 4796 wrote to memory of 1884	4796	57cf9f8f973ff9ef8b722b45b8c60db2.exe	89
PID 1884 wrote to memory of 3436	1884	DllServ.exe	100
PID 1884 wrote to memory of 3436	1884	DllServ.exe	100
PID 1884 wrote to memory of 3436	1884	DllServ.exe	100
PID 3436 wrote to memory of 1052	3436	DllServ.exe	106
PID 3436 wrote to memory of 1052	3436	DllServ.exe	106
PID 3436 wrote to memory of 1052	3436	DllServ.exe	106
PID 1052 wrote to memory of 3432	1052	DllServ.exe	107
PID 1052 wrote to memory of 3432	1052	DllServ.exe	107
PID 1052 wrote to memory of 3432	1052	DllServ.exe	107
PID 3432 wrote to memory of 4000	3432	DllServ.exe	108
PID 3432 wrote to memory of 4000	3432	DllServ.exe	108
PID 3432 wrote to memory of 4000	3432	DllServ.exe	108
PID 4000 wrote to memory of 1160	4000	DllServ.exe	110
PID 4000 wrote to memory of 1160	4000	DllServ.exe	110
PID 4000 wrote to memory of 1160	4000	DllServ.exe	110
PID 1160 wrote to memory of 2196	1160	DllServ.exe	111
PID 1160 wrote to memory of 2196	1160	DllServ.exe	111
PID 1160 wrote to memory of 2196	1160	DllServ.exe	111
PID 2196 wrote to memory of 3188	2196	DllServ.exe	119
PID 2196 wrote to memory of 3188	2196	DllServ.exe	119
PID 2196 wrote to memory of 3188	2196	DllServ.exe	119
PID 3188 wrote to memory of 5096	3188	DllServ.exe	120
PID 3188 wrote to memory of 5096	3188	DllServ.exe	120
PID 3188 wrote to memory of 5096	3188	DllServ.exe	120
PID 5096 wrote to memory of 4596	5096	DllServ.exe	124
PID 5096 wrote to memory of 4596	5096	DllServ.exe	124
PID 5096 wrote to memory of 4596	5096	DllServ.exe	124

C:\Users\Admin\AppData\Local\Temp\57cf9f8f973ff9ef8b722b45b8c60db2.exe
"C:\Users\Admin\AppData\Local\Temp\57cf9f8f973ff9ef8b722b45b8c60db2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SysWOW64\DllServ.exe
  C:\Windows\system32\DllServ.exe 1192 "C:\Users\Admin\AppData\Local\Temp\57cf9f8f973ff9ef8b722b45b8c60db2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\DllServ.exe
    C:\Windows\system32\DllServ.exe 1152 "C:\Windows\SysWOW64\DllServ.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\SysWOW64\DllServ.exe
      C:\Windows\system32\DllServ.exe 1108 "C:\Windows\SysWOW64\DllServ.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Windows\SysWOW64\DllServ.exe
        
        C:\Windows\system32\DllServ.exe 1128 "C:\Windows\SysWOW64\DllServ.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
      - C:\Windows\SysWOW64\DllServ.exe
        
        C:\Windows\system32\DllServ.exe 1132 "C:\Windows\SysWOW64\DllServ.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\DllServ.exe
        
        C:\Windows\system32\DllServ.exe 1124 "C:\Windows\SysWOW64\DllServ.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\DllServ.exe
        
        C:\Windows\system32\DllServ.exe 1140 "C:\Windows\SysWOW64\DllServ.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\DllServ.exe
        
        C:\Windows\system32\DllServ.exe 1104 "C:\Windows\SysWOW64\DllServ.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\DllServ.exe
        
        C:\Windows\system32\DllServ.exe 1148 "C:\Windows\SysWOW64\DllServ.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\DllServ.exe
        
        C:\Windows\system32\DllServ.exe 1144 "C:\Windows\SysWOW64\DllServ.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DllServ.exe

Filesize
76KB

MD5
57cf9f8f973ff9ef8b722b45b8c60db2

SHA1
0dd593a2bcd25127ed3600ab3b8bf5d2aa36b971

SHA256
34e1162151589c11d175412c8d84666b781a66f4b9690b71574348824df5a18b

SHA512
44a089f2c5a59774306415ba8db98669c00dd777a54ea0a94053d0b32326f221e6a65bea53b5c78400e0e8477c30fe382256d4e6c3901e750284f2f55e2f282c

Download Submit
memory/1052-13-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1052-17-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1160-26-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1160-22-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1884-11-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1884-7-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2196-29-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2196-25-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3188-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3188-28-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3432-16-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3432-20-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3436-14-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3436-10-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4000-19-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4000-23-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4596-34-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4796-8-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4796-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5096-31-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5096-35-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads