71f43e6cc8c5e27683f3195f79109deae7bca72ad36e2fc8f76148d6e42ad8f1

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c27d8c89e87edc4c6641986c0609773.exe
Size

74KB
MD5

8c27d8c89e87edc4c6641986c0609773
SHA1

4e8af729a8edb689bb0ce44df92ea8989cd275ee
SHA256

71f43e6cc8c5e27683f3195f79109deae7bca72ad36e2fc8f76148d6e42ad8f1
SHA512

5b527315fe22b1df1a8836920d259aa99b4f4e16a2243effb648f5ef81c5ffdffb21eed2daafd4e2ba5aa19fddc734d60dcc09ed0cb1d8133d226fa38bbd27a0
SSDEEP

1536:XtsEMKr3omwwWU9tTNMMEhWWHpIklMkPLFWiEqE9tNZXlMi+gld:XtDb3TQMEhxpI1qLF9EqCDq8T

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2160	svcchost.exe
2788	svcchost.exe
2736	svcchost.exe
2520	svcchost.exe
636	svcchost.exe
684	svcchost.exe
572	svcchost.exe
2632	svcchost.exe
2336	svcchost.exe
1644	svcchost.exe

Loads dropped DLL 20 IoCs

pid	Process
1708	8c27d8c89e87edc4c6641986c0609773.exe
1708	8c27d8c89e87edc4c6641986c0609773.exe
2160	svcchost.exe
2160	svcchost.exe
2788	svcchost.exe
2788	svcchost.exe
2736	svcchost.exe
2736	svcchost.exe
2520	svcchost.exe
2520	svcchost.exe
636	svcchost.exe
636	svcchost.exe
684	svcchost.exe
684	svcchost.exe
572	svcchost.exe
572	svcchost.exe
2632	svcchost.exe
2632	svcchost.exe
2336	svcchost.exe
2336	svcchost.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	8c27d8c89e87edc4c6641986c0609773.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	8c27d8c89e87edc4c6641986c0609773.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2160	1708	8c27d8c89e87edc4c6641986c0609773.exe	28
PID 1708 wrote to memory of 2160	1708	8c27d8c89e87edc4c6641986c0609773.exe	28
PID 1708 wrote to memory of 2160	1708	8c27d8c89e87edc4c6641986c0609773.exe	28
PID 1708 wrote to memory of 2160	1708	8c27d8c89e87edc4c6641986c0609773.exe	28
PID 2160 wrote to memory of 2788	2160	svcchost.exe	29
PID 2160 wrote to memory of 2788	2160	svcchost.exe	29
PID 2160 wrote to memory of 2788	2160	svcchost.exe	29
PID 2160 wrote to memory of 2788	2160	svcchost.exe	29
PID 2788 wrote to memory of 2736	2788	svcchost.exe	30
PID 2788 wrote to memory of 2736	2788	svcchost.exe	30
PID 2788 wrote to memory of 2736	2788	svcchost.exe	30
PID 2788 wrote to memory of 2736	2788	svcchost.exe	30
PID 2736 wrote to memory of 2520	2736	svcchost.exe	33
PID 2736 wrote to memory of 2520	2736	svcchost.exe	33
PID 2736 wrote to memory of 2520	2736	svcchost.exe	33
PID 2736 wrote to memory of 2520	2736	svcchost.exe	33
PID 2520 wrote to memory of 636	2520	svcchost.exe	34
PID 2520 wrote to memory of 636	2520	svcchost.exe	34
PID 2520 wrote to memory of 636	2520	svcchost.exe	34
PID 2520 wrote to memory of 636	2520	svcchost.exe	34
PID 636 wrote to memory of 684	636	svcchost.exe	35
PID 636 wrote to memory of 684	636	svcchost.exe	35
PID 636 wrote to memory of 684	636	svcchost.exe	35
PID 636 wrote to memory of 684	636	svcchost.exe	35
PID 684 wrote to memory of 572	684	svcchost.exe	36
PID 684 wrote to memory of 572	684	svcchost.exe	36
PID 684 wrote to memory of 572	684	svcchost.exe	36
PID 684 wrote to memory of 572	684	svcchost.exe	36
PID 572 wrote to memory of 2632	572	svcchost.exe	37
PID 572 wrote to memory of 2632	572	svcchost.exe	37
PID 572 wrote to memory of 2632	572	svcchost.exe	37
PID 572 wrote to memory of 2632	572	svcchost.exe	37
PID 2632 wrote to memory of 2336	2632	svcchost.exe	38
PID 2632 wrote to memory of 2336	2632	svcchost.exe	38
PID 2632 wrote to memory of 2336	2632	svcchost.exe	38
PID 2632 wrote to memory of 2336	2632	svcchost.exe	38
PID 2336 wrote to memory of 1644	2336	svcchost.exe	39
PID 2336 wrote to memory of 1644	2336	svcchost.exe	39
PID 2336 wrote to memory of 1644	2336	svcchost.exe	39
PID 2336 wrote to memory of 1644	2336	svcchost.exe	39

C:\Users\Admin\AppData\Local\Temp\8c27d8c89e87edc4c6641986c0609773.exe
"C:\Users\Admin\AppData\Local\Temp\8c27d8c89e87edc4c6641986c0609773.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\svcchost.exe
  C:\Windows\system32\svcchost.exe 524 "C:\Users\Admin\AppData\Local\Temp\8c27d8c89e87edc4c6641986c0609773.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\svcchost.exe
    C:\Windows\system32\svcchost.exe 504 "C:\Windows\SysWOW64\svcchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\svcchost.exe
      C:\Windows\system32\svcchost.exe 512 "C:\Windows\SysWOW64\svcchost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 532 "C:\Windows\SysWOW64\svcchost.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 520 "C:\Windows\SysWOW64\svcchost.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 540 "C:\Windows\SysWOW64\svcchost.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 516 "C:\Windows\SysWOW64\svcchost.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 508 "C:\Windows\SysWOW64\svcchost.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 536 "C:\Windows\SysWOW64\svcchost.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 544 "C:\Windows\SysWOW64\svcchost.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\svcchost.exe

Filesize
74KB

MD5
8c27d8c89e87edc4c6641986c0609773

SHA1
4e8af729a8edb689bb0ce44df92ea8989cd275ee

SHA256
71f43e6cc8c5e27683f3195f79109deae7bca72ad36e2fc8f76148d6e42ad8f1

SHA512
5b527315fe22b1df1a8836920d259aa99b4f4e16a2243effb648f5ef81c5ffdffb21eed2daafd4e2ba5aa19fddc734d60dcc09ed0cb1d8133d226fa38bbd27a0

Download Submit
memory/572-51-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/636-40-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/636-38-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/684-44-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/684-46-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1644-69-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1644-67-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1708-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1708-15-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1708-6-0x0000000002700000-0x000000000277E000-memory.dmp

Filesize
504KB

Download
memory/1708-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2160-19-0x0000000000790000-0x000000000080E000-memory.dmp

Filesize
504KB

Download
memory/2160-16-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2160-13-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2336-63-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2520-34-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2520-32-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2632-55-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2632-57-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2632-60-0x00000000023F0000-0x000000000246E000-memory.dmp

Filesize
504KB

Download
memory/2736-28-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2788-23-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2788-21-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads