d3af45ecbaf32ade73d19be6fe41f29f9c2555bbff252ef5c947fbabb58df11b

Analysis

max time kernel
149s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1c74b76787397db083fba47e8bb0c8b.exe
Size

140KB
MD5

a1c74b76787397db083fba47e8bb0c8b
SHA1

bfe9295328413988e0ff7008811995001ec9a37a
SHA256

d3af45ecbaf32ade73d19be6fe41f29f9c2555bbff252ef5c947fbabb58df11b
SHA512

1a52302992bac6a9e61b06375541a5612341e42cea6f74551a30de9c543f55583746c2bb0e53b691f1c2e580c2c0a5fa662b8dd21496017b0321b31987dc8980
SSDEEP

3072:v6rAy2dKrI+58JrYE5JOsJ8zRXSTE9qSPKs:SMy2dMIm8uE5L84E9qSPKs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
4764	sysrv.exe
1904	sysrv.exe
2152	sysrv.exe
4456	sysrv.exe
436	sysrv.exe
116	sysrv.exe
5024	sysrv.exe
3908	sysrv.exe
836	sysrv.exe
1160	sysrv.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	a1c74b76787397db083fba47e8bb0c8b.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	a1c74b76787397db083fba47e8bb0c8b.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File opened for modification	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe
File created	C:\Windows\SysWOW64\sysrv.exe	sysrv.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 4764	1132	a1c74b76787397db083fba47e8bb0c8b.exe	88
PID 1132 wrote to memory of 4764	1132	a1c74b76787397db083fba47e8bb0c8b.exe	88
PID 1132 wrote to memory of 4764	1132	a1c74b76787397db083fba47e8bb0c8b.exe	88
PID 4764 wrote to memory of 1904	4764	sysrv.exe	94
PID 4764 wrote to memory of 1904	4764	sysrv.exe	94
PID 4764 wrote to memory of 1904	4764	sysrv.exe	94
PID 1904 wrote to memory of 2152	1904	sysrv.exe	99
PID 1904 wrote to memory of 2152	1904	sysrv.exe	99
PID 1904 wrote to memory of 2152	1904	sysrv.exe	99
PID 2152 wrote to memory of 4456	2152	sysrv.exe	100
PID 2152 wrote to memory of 4456	2152	sysrv.exe	100
PID 2152 wrote to memory of 4456	2152	sysrv.exe	100
PID 4456 wrote to memory of 436	4456	sysrv.exe	101
PID 4456 wrote to memory of 436	4456	sysrv.exe	101
PID 4456 wrote to memory of 436	4456	sysrv.exe	101
PID 436 wrote to memory of 116	436	sysrv.exe	103
PID 436 wrote to memory of 116	436	sysrv.exe	103
PID 436 wrote to memory of 116	436	sysrv.exe	103
PID 116 wrote to memory of 5024	116	sysrv.exe	104
PID 116 wrote to memory of 5024	116	sysrv.exe	104
PID 116 wrote to memory of 5024	116	sysrv.exe	104
PID 5024 wrote to memory of 3908	5024	sysrv.exe	105
PID 5024 wrote to memory of 3908	5024	sysrv.exe	105
PID 5024 wrote to memory of 3908	5024	sysrv.exe	105
PID 3908 wrote to memory of 836	3908	sysrv.exe	106
PID 3908 wrote to memory of 836	3908	sysrv.exe	106
PID 3908 wrote to memory of 836	3908	sysrv.exe	106
PID 836 wrote to memory of 1160	836	sysrv.exe	107
PID 836 wrote to memory of 1160	836	sysrv.exe	107
PID 836 wrote to memory of 1160	836	sysrv.exe	107

C:\Users\Admin\AppData\Local\Temp\a1c74b76787397db083fba47e8bb0c8b.exe
"C:\Users\Admin\AppData\Local\Temp\a1c74b76787397db083fba47e8bb0c8b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\sysrv.exe
  C:\Windows\system32\sysrv.exe 1156 "C:\Users\Admin\AppData\Local\Temp\a1c74b76787397db083fba47e8bb0c8b.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\sysrv.exe
    C:\Windows\system32\sysrv.exe 1148 "C:\Windows\SysWOW64\sysrv.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\sysrv.exe
      C:\Windows\system32\sysrv.exe 1120 "C:\Windows\SysWOW64\sysrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 1132 "C:\Windows\SysWOW64\sysrv.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4456
      - C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 1124 "C:\Windows\SysWOW64\sysrv.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 1128 "C:\Windows\SysWOW64\sysrv.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 1136 "C:\Windows\SysWOW64\sysrv.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 1144 "C:\Windows\SysWOW64\sysrv.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 1140 "C:\Windows\SysWOW64\sysrv.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\sysrv.exe
        
        C:\Windows\system32\sysrv.exe 1160 "C:\Windows\SysWOW64\sysrv.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sysrv.exe

Filesize
140KB

MD5
a1c74b76787397db083fba47e8bb0c8b

SHA1
bfe9295328413988e0ff7008811995001ec9a37a

SHA256
d3af45ecbaf32ade73d19be6fe41f29f9c2555bbff252ef5c947fbabb58df11b

SHA512
1a52302992bac6a9e61b06375541a5612341e42cea6f74551a30de9c543f55583746c2bb0e53b691f1c2e580c2c0a5fa662b8dd21496017b0321b31987dc8980

Download Submit
memory/116-29-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-27-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/436-25-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/436-23-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/836-41-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/836-39-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1132-8-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1132-0-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1160-43-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1160-45-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1904-13-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1904-11-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2152-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2152-15-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3908-35-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3908-37-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4456-21-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4456-19-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4764-9-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4764-7-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5024-33-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5024-31-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads