d3af45ecbaf32ade73d19be6fe41f29f9c2555bbff252ef5c947fbabb58df11b

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1c74b76787397db083fba47e8bb0c8b.exe
Size

140KB
MD5

a1c74b76787397db083fba47e8bb0c8b
SHA1

bfe9295328413988e0ff7008811995001ec9a37a
SHA256

d3af45ecbaf32ade73d19be6fe41f29f9c2555bbff252ef5c947fbabb58df11b
SHA512

1a52302992bac6a9e61b06375541a5612341e42cea6f74551a30de9c543f55583746c2bb0e53b691f1c2e580c2c0a5fa662b8dd21496017b0321b31987dc8980
SSDEEP

3072:v6rAy2dKrI+58JrYE5JOsJ8zRXSTE9qSPKs:SMy2dMIm8uE5L84E9qSPKs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2012	sysrv.exe
2692	sysrv.exe
2820	sysrv.exe
2532	sysrv.exe
2812	sysrv.exe
2816	sysrv.exe
1312	sysrv.exe
1408	sysrv.exe
536	sysrv.exe
1660	sysrv.exe

Loads dropped DLL 20 IoCs

pid	Process
2276	a1c74b76787397db083fba47e8bb0c8b.exe
2276	a1c74b76787397db083fba47e8bb0c8b.exe
2012	sysrv.exe
2012	sysrv.exe
2692	sysrv.exe
2692	sysrv.exe
2820	sysrv.exe
2820	sysrv.exe
2532	sysrv.exe
2532	sysrv.exe
2812	sysrv.exe
2812	sysrv.exe
2816	sysrv.exe
2816	sysrv.exe
1312	sysrv.exe
1312	sysrv.exe
1408	sysrv.exe
1408	sysrv.exe
536	sysrv.exe
536	sysrv.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	a1c74b76787397db083fba47e8bb0c8b.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	a1c74b76787397db083fba47e8bb0c8b.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2012	2276	a1c74b76787397db083fba47e8bb0c8b.exe	28
PID 2276 wrote to memory of 2012	2276	a1c74b76787397db083fba47e8bb0c8b.exe	28
PID 2276 wrote to memory of 2012	2276	a1c74b76787397db083fba47e8bb0c8b.exe	28
PID 2276 wrote to memory of 2012	2276	a1c74b76787397db083fba47e8bb0c8b.exe	28
PID 2012 wrote to memory of 2692	2012	sysrv.exe	29
PID 2012 wrote to memory of 2692	2012	sysrv.exe	29
PID 2012 wrote to memory of 2692	2012	sysrv.exe	29
PID 2012 wrote to memory of 2692	2012	sysrv.exe	29
PID 2692 wrote to memory of 2820	2692	sysrv.exe	30
PID 2692 wrote to memory of 2820	2692	sysrv.exe	30
PID 2692 wrote to memory of 2820	2692	sysrv.exe	30
PID 2692 wrote to memory of 2820	2692	sysrv.exe	30
PID 2820 wrote to memory of 2532	2820	sysrv.exe	31
PID 2820 wrote to memory of 2532	2820	sysrv.exe	31
PID 2820 wrote to memory of 2532	2820	sysrv.exe	31
PID 2820 wrote to memory of 2532	2820	sysrv.exe	31
PID 2532 wrote to memory of 2812	2532	sysrv.exe	34
PID 2532 wrote to memory of 2812	2532	sysrv.exe	34
PID 2532 wrote to memory of 2812	2532	sysrv.exe	34
PID 2532 wrote to memory of 2812	2532	sysrv.exe	34
PID 2812 wrote to memory of 2816	2812	sysrv.exe	35
PID 2812 wrote to memory of 2816	2812	sysrv.exe	35
PID 2812 wrote to memory of 2816	2812	sysrv.exe	35
PID 2812 wrote to memory of 2816	2812	sysrv.exe	35
PID 2816 wrote to memory of 1312	2816	sysrv.exe	36
PID 2816 wrote to memory of 1312	2816	sysrv.exe	36
PID 2816 wrote to memory of 1312	2816	sysrv.exe	36
PID 2816 wrote to memory of 1312	2816	sysrv.exe	36
PID 1312 wrote to memory of 1408	1312	sysrv.exe	37
PID 1312 wrote to memory of 1408	1312	sysrv.exe	37
PID 1312 wrote to memory of 1408	1312	sysrv.exe	37
PID 1312 wrote to memory of 1408	1312	sysrv.exe	37
PID 1408 wrote to memory of 536	1408	sysrv.exe	38
PID 1408 wrote to memory of 536	1408	sysrv.exe	38
PID 1408 wrote to memory of 536	1408	sysrv.exe	38
PID 1408 wrote to memory of 536	1408	sysrv.exe	38
PID 536 wrote to memory of 1660	536	sysrv.exe	39
PID 536 wrote to memory of 1660	536	sysrv.exe	39
PID 536 wrote to memory of 1660	536	sysrv.exe	39
PID 536 wrote to memory of 1660	536	sysrv.exe	39

C:\Users\Admin\AppData\Local\Temp\a1c74b76787397db083fba47e8bb0c8b.exe
"C:\Users\Admin\AppData\Local\Temp\a1c74b76787397db083fba47e8bb0c8b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\sysrv.exe
  C:\Windows\system32\sysrv.exe 476 "C:\Users\Admin\AppData\Local\Temp\a1c74b76787397db083fba47e8bb0c8b.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\sysrv.exe
    C:\Windows\system32\sysrv.exe 528 "C:\Windows\SysWOW64\sysrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\sysrv.exe
      C:\Windows\system32\sysrv.exe 548 "C:\Windows\SysWOW64\sysrv.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 532 "C:\Windows\SysWOW64\sysrv.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 536 "C:\Windows\SysWOW64\sysrv.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 540 "C:\Windows\SysWOW64\sysrv.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 544 "C:\Windows\SysWOW64\sysrv.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 552 "C:\Windows\SysWOW64\sysrv.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 556 "C:\Windows\SysWOW64\sysrv.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 560 "C:\Windows\SysWOW64\sysrv.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sysrv.exe

Filesize
140KB

MD5
a1c74b76787397db083fba47e8bb0c8b

SHA1
bfe9295328413988e0ff7008811995001ec9a37a

SHA256
d3af45ecbaf32ade73d19be6fe41f29f9c2555bbff252ef5c947fbabb58df11b

SHA512
1a52302992bac6a9e61b06375541a5612341e42cea6f74551a30de9c543f55583746c2bb0e53b691f1c2e580c2c0a5fa662b8dd21496017b0321b31987dc8980

Download Submit
memory/536-60-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1312-48-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1312-50-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1408-56-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1408-54-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1660-68-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1660-66-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2012-12-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2012-14-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2276-13-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2276-0-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2532-32-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2532-30-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2692-20-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2692-18-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2812-36-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2816-44-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2816-42-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2820-26-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2820-24-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads