Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
14/02/2024, 16:10
General
-
Target
9c1b470d80b84b8c57b65313a73bc663.exe
-
Size
13KB
-
MD5
9c1b470d80b84b8c57b65313a73bc663
-
SHA1
fd570ac98f8762a0debb24618c3ad499e464a8c1
-
SHA256
6cf45b88f8b3c28eb12b9f16cda62fe1f352bb3ce386768380268879837414bd
-
SHA512
e04d419e414534b7ad3807232362d0b4095d41eafd1ccccad9b4bc7126ff283c5a12eea7688633d0241ef0ccfbfe25e7902d9b99edc6e473216891ec200e0c67
-
SSDEEP
384:di2vDHqsnUTtzT4fZEUOAousYf6Q3ONpF:g2D/otzEfWUOAouh6iq
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c1b470d80b84b8c57b65313a73bc663.exe"C:\Users\Admin\AppData\Local\Temp\9c1b470d80b84b8c57b65313a73bc663.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"27⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"29⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"39⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"40⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"41⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"43⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"46⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"47⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"49⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"53⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"54⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"56⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"57⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"58⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"60⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"64⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"65⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"66⤵
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"67⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"68⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"69⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"70⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"71⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"72⤵
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"73⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"74⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"75⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"76⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"77⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"78⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"79⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"80⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"81⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"82⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"83⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"84⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"85⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"86⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"87⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"88⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\config\svchost.exe"C:\Windows\system32\config\svchost.exe"89⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD59c1b470d80b84b8c57b65313a73bc663
SHA1fd570ac98f8762a0debb24618c3ad499e464a8c1
SHA2566cf45b88f8b3c28eb12b9f16cda62fe1f352bb3ce386768380268879837414bd
SHA512e04d419e414534b7ad3807232362d0b4095d41eafd1ccccad9b4bc7126ff283c5a12eea7688633d0241ef0ccfbfe25e7902d9b99edc6e473216891ec200e0c67
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
256KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB