9e298f797a9272e30316fc14dada452d0c32988708e96974fabaad3bc834fffd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/01/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63c457f491126c17dcce5cd5105bc660.exe
Size

29KB
MD5

63c457f491126c17dcce5cd5105bc660
SHA1

affbd7c32916a0bf0bb881424b1074dc0c44eb7a
SHA256

9e298f797a9272e30316fc14dada452d0c32988708e96974fabaad3bc834fffd
SHA512

ff2aa41b608f62f161ad41aaad7ea677d6e0b386c7247d64dcdbe4ed1b60523fd75370aec572385ea6f2b50e14b195c141d054ea72294053fdc08678a96b40c0
SSDEEP

768:Ikb9lbBEns+m1v9Nseq+XeYvWMpzroUTtO9h1HQ/:Ikb9lbOnsj1vFqUzvnQ6Eh1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2776	svhost32.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	svhost32.exe
2776	svhost32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllwm.dll	svhost32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\svhost32.exe	63c457f491126c17dcce5cd5105bc660.exe
File opened for modification	C:\Program Files\svhost32.exe	63c457f491126c17dcce5cd5105bc660.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
5044	63c457f491126c17dcce5cd5105bc660.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe
2776	svhost32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2776	svhost32.exe
2776	svhost32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 2776	5044	63c457f491126c17dcce5cd5105bc660.exe	85
PID 5044 wrote to memory of 2776	5044	63c457f491126c17dcce5cd5105bc660.exe	85
PID 5044 wrote to memory of 2776	5044	63c457f491126c17dcce5cd5105bc660.exe	85
PID 5044 wrote to memory of 4616	5044	63c457f491126c17dcce5cd5105bc660.exe	86
PID 5044 wrote to memory of 4616	5044	63c457f491126c17dcce5cd5105bc660.exe	86
PID 5044 wrote to memory of 4616	5044	63c457f491126c17dcce5cd5105bc660.exe	86

C:\Users\Admin\AppData\Local\Temp\63c457f491126c17dcce5cd5105bc660.exe
"C:\Users\Admin\AppData\Local\Temp\63c457f491126c17dcce5cd5105bc660.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Program Files\svhost32.exe
  "C:\Program Files\svhost32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$c684F.tmp.bat
  2⤵
  PID:4616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\svhost32.exe

Filesize
29KB

MD5
63c457f491126c17dcce5cd5105bc660

SHA1
affbd7c32916a0bf0bb881424b1074dc0c44eb7a

SHA256
9e298f797a9272e30316fc14dada452d0c32988708e96974fabaad3bc834fffd

SHA512
ff2aa41b608f62f161ad41aaad7ea677d6e0b386c7247d64dcdbe4ed1b60523fd75370aec572385ea6f2b50e14b195c141d054ea72294053fdc08678a96b40c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$c684F.tmp.bat

Filesize
233B

MD5
7c936900adbd0dce43a030fcd8d99a25

SHA1
64532111f82391a8dd321dd3c5dbe82868ab513d

SHA256
0010e81d07342d80b3d99f1370301e896e8949ff4fcf5a9db3397287223f8581

SHA512
c55c1f1ef03c49257a7bd5f3d3cca346e69cd72219ca81370f2b55e6650e084b8191b9b46ce2cc51addc3836f9edf378501b88e20e1d93074aeb8c18a5ecbe41

Download Submit
C:\Windows\SysWOW64\dllwm.dll

Filesize
32KB

MD5
cabe2b9ebba497c6ccb89ca1d3f7f08c

SHA1
74664143dd330734178216eba39e1d52d2657100

SHA256
ad2fdab1ff8a36840424884b259b4f1dec35196d99043359e0f89684a547cfb9

SHA512
06f9894bad794f5f8d7a777efdac137aab33f8d23832d0910d887a8eb0e8e27b51b9bfa5af31ee91fb832e88cde8197d9411ba9595ef67dd61019ee77f9a8444

Download Submit
memory/2776-12-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/2776-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2776-17-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/5044-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5044-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download