71f43e6cc8c5e27683f3195f79109deae7bca72ad36e2fc8f76148d6e42ad8f1

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c27d8c89e87edc4c6641986c0609773.exe
Size

74KB
MD5

8c27d8c89e87edc4c6641986c0609773
SHA1

4e8af729a8edb689bb0ce44df92ea8989cd275ee
SHA256

71f43e6cc8c5e27683f3195f79109deae7bca72ad36e2fc8f76148d6e42ad8f1
SHA512

5b527315fe22b1df1a8836920d259aa99b4f4e16a2243effb648f5ef81c5ffdffb21eed2daafd4e2ba5aa19fddc734d60dcc09ed0cb1d8133d226fa38bbd27a0
SSDEEP

1536:XtsEMKr3omwwWU9tTNMMEhWWHpIklMkPLFWiEqE9tNZXlMi+gld:XtDb3TQMEhxpI1qLF9EqCDq8T

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
3384	svcchost.exe
2824	svcchost.exe
3300	svcchost.exe
2148	svcchost.exe
3544	svcchost.exe
3168	svcchost.exe
3536	svcchost.exe
1104	svcchost.exe
2588	svcchost.exe
4752	svcchost.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	8c27d8c89e87edc4c6641986c0609773.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	8c27d8c89e87edc4c6641986c0609773.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File opened for modification	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe
File created	C:\Windows\SysWOW64\svcchost.exe	svcchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 3384	404	8c27d8c89e87edc4c6641986c0609773.exe	88
PID 404 wrote to memory of 3384	404	8c27d8c89e87edc4c6641986c0609773.exe	88
PID 404 wrote to memory of 3384	404	8c27d8c89e87edc4c6641986c0609773.exe	88
PID 3384 wrote to memory of 2824	3384	svcchost.exe	98
PID 3384 wrote to memory of 2824	3384	svcchost.exe	98
PID 3384 wrote to memory of 2824	3384	svcchost.exe	98
PID 2824 wrote to memory of 3300	2824	svcchost.exe	100
PID 2824 wrote to memory of 3300	2824	svcchost.exe	100
PID 2824 wrote to memory of 3300	2824	svcchost.exe	100
PID 3300 wrote to memory of 2148	3300	svcchost.exe	101
PID 3300 wrote to memory of 2148	3300	svcchost.exe	101
PID 3300 wrote to memory of 2148	3300	svcchost.exe	101
PID 2148 wrote to memory of 3544	2148	svcchost.exe	102
PID 2148 wrote to memory of 3544	2148	svcchost.exe	102
PID 2148 wrote to memory of 3544	2148	svcchost.exe	102
PID 3544 wrote to memory of 3168	3544	svcchost.exe	103
PID 3544 wrote to memory of 3168	3544	svcchost.exe	103
PID 3544 wrote to memory of 3168	3544	svcchost.exe	103
PID 3168 wrote to memory of 3536	3168	svcchost.exe	104
PID 3168 wrote to memory of 3536	3168	svcchost.exe	104
PID 3168 wrote to memory of 3536	3168	svcchost.exe	104
PID 3536 wrote to memory of 1104	3536	svcchost.exe	105
PID 3536 wrote to memory of 1104	3536	svcchost.exe	105
PID 3536 wrote to memory of 1104	3536	svcchost.exe	105
PID 1104 wrote to memory of 2588	1104	svcchost.exe	106
PID 1104 wrote to memory of 2588	1104	svcchost.exe	106
PID 1104 wrote to memory of 2588	1104	svcchost.exe	106
PID 2588 wrote to memory of 4752	2588	svcchost.exe	107
PID 2588 wrote to memory of 4752	2588	svcchost.exe	107
PID 2588 wrote to memory of 4752	2588	svcchost.exe	107

C:\Users\Admin\AppData\Local\Temp\8c27d8c89e87edc4c6641986c0609773.exe
"C:\Users\Admin\AppData\Local\Temp\8c27d8c89e87edc4c6641986c0609773.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\SysWOW64\svcchost.exe
  C:\Windows\system32\svcchost.exe 1164 "C:\Users\Admin\AppData\Local\Temp\8c27d8c89e87edc4c6641986c0609773.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\SysWOW64\svcchost.exe
    C:\Windows\system32\svcchost.exe 1124 "C:\Windows\SysWOW64\svcchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\svcchost.exe
      C:\Windows\system32\svcchost.exe 1092 "C:\Windows\SysWOW64\svcchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3300
    - - C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 1100 "C:\Windows\SysWOW64\svcchost.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 1096 "C:\Windows\SysWOW64\svcchost.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 1104 "C:\Windows\SysWOW64\svcchost.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 1108 "C:\Windows\SysWOW64\svcchost.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 1116 "C:\Windows\SysWOW64\svcchost.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 1144 "C:\Windows\SysWOW64\svcchost.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\svcchost.exe
        
        C:\Windows\system32\svcchost.exe 1120 "C:\Windows\SysWOW64\svcchost.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svcchost.exe

Filesize
74KB

MD5
8c27d8c89e87edc4c6641986c0609773

SHA1
4e8af729a8edb689bb0ce44df92ea8989cd275ee

SHA256
71f43e6cc8c5e27683f3195f79109deae7bca72ad36e2fc8f76148d6e42ad8f1

SHA512
5b527315fe22b1df1a8836920d259aa99b4f4e16a2243effb648f5ef81c5ffdffb21eed2daafd4e2ba5aa19fddc734d60dcc09ed0cb1d8133d226fa38bbd27a0

Download Submit
memory/404-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/404-1-0x0000000000480000-0x0000000000484000-memory.dmp

Filesize
16KB

Download
memory/404-8-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/404-9-0x0000000000480000-0x0000000000484000-memory.dmp

Filesize
16KB

Download
memory/1104-34-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2148-20-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2588-38-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2588-36-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2824-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2824-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3168-26-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/3168-25-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3168-28-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3300-17-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3384-10-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3536-31-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3544-23-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4752-41-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads