5a53191d8378099c73543f3f2259efcbaa41334a83a3661c55254dc010f20220

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa31319b8c8b1c45fc73d75006d997d6.exe
Size

63KB
MD5

aa31319b8c8b1c45fc73d75006d997d6
SHA1

22bff6b3e0ea8ded6fc076296825ca7b7b140320
SHA256

5a53191d8378099c73543f3f2259efcbaa41334a83a3661c55254dc010f20220
SHA512

1cac7b91647bdbb825826724fa97a02e39ae26621751cff087082057c810ddf7b1cf352c9d77099dbe085fe044257cc11849cb23c7383228d21b613eab27f092
SSDEEP

1536:JJuNxBVJE0zOWQQ7zEF9BrtQMiIbT8wIyHSAE:J4xBVJE0/zEF9ZK/mT1yp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
3048	ms32.pif
2696	ms32.pif
2392	ms32.pif
2032	ms32.pif
2040	ms32.pif
1372	ms32.pif
2888	ms32.pif
2196	ms32.pif
1788	ms32.pif
2336	ms32.pif

Loads dropped DLL 20 IoCs

pid	Process
2100	aa31319b8c8b1c45fc73d75006d997d6.exe
2100	aa31319b8c8b1c45fc73d75006d997d6.exe
3048	ms32.pif
3048	ms32.pif
2696	ms32.pif
2696	ms32.pif
2392	ms32.pif
2392	ms32.pif
2032	ms32.pif
2032	ms32.pif
2040	ms32.pif
2040	ms32.pif
1372	ms32.pif
1372	ms32.pif
2888	ms32.pif
2888	ms32.pif
2196	ms32.pif
2196	ms32.pif
1788	ms32.pif
1788	ms32.pif

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ms32.pif	aa31319b8c8b1c45fc73d75006d997d6.exe
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	aa31319b8c8b1c45fc73d75006d997d6.exe
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 3048	2100	aa31319b8c8b1c45fc73d75006d997d6.exe	28
PID 2100 wrote to memory of 3048	2100	aa31319b8c8b1c45fc73d75006d997d6.exe	28
PID 2100 wrote to memory of 3048	2100	aa31319b8c8b1c45fc73d75006d997d6.exe	28
PID 2100 wrote to memory of 3048	2100	aa31319b8c8b1c45fc73d75006d997d6.exe	28
PID 3048 wrote to memory of 2696	3048	ms32.pif	29
PID 3048 wrote to memory of 2696	3048	ms32.pif	29
PID 3048 wrote to memory of 2696	3048	ms32.pif	29
PID 3048 wrote to memory of 2696	3048	ms32.pif	29
PID 2696 wrote to memory of 2392	2696	ms32.pif	30
PID 2696 wrote to memory of 2392	2696	ms32.pif	30
PID 2696 wrote to memory of 2392	2696	ms32.pif	30
PID 2696 wrote to memory of 2392	2696	ms32.pif	30
PID 2392 wrote to memory of 2032	2392	ms32.pif	31
PID 2392 wrote to memory of 2032	2392	ms32.pif	31
PID 2392 wrote to memory of 2032	2392	ms32.pif	31
PID 2392 wrote to memory of 2032	2392	ms32.pif	31
PID 2032 wrote to memory of 2040	2032	ms32.pif	34
PID 2032 wrote to memory of 2040	2032	ms32.pif	34
PID 2032 wrote to memory of 2040	2032	ms32.pif	34
PID 2032 wrote to memory of 2040	2032	ms32.pif	34
PID 2040 wrote to memory of 1372	2040	ms32.pif	35
PID 2040 wrote to memory of 1372	2040	ms32.pif	35
PID 2040 wrote to memory of 1372	2040	ms32.pif	35
PID 2040 wrote to memory of 1372	2040	ms32.pif	35
PID 1372 wrote to memory of 2888	1372	ms32.pif	36
PID 1372 wrote to memory of 2888	1372	ms32.pif	36
PID 1372 wrote to memory of 2888	1372	ms32.pif	36
PID 1372 wrote to memory of 2888	1372	ms32.pif	36
PID 2888 wrote to memory of 2196	2888	ms32.pif	37
PID 2888 wrote to memory of 2196	2888	ms32.pif	37
PID 2888 wrote to memory of 2196	2888	ms32.pif	37
PID 2888 wrote to memory of 2196	2888	ms32.pif	37
PID 2196 wrote to memory of 1788	2196	ms32.pif	38
PID 2196 wrote to memory of 1788	2196	ms32.pif	38
PID 2196 wrote to memory of 1788	2196	ms32.pif	38
PID 2196 wrote to memory of 1788	2196	ms32.pif	38
PID 1788 wrote to memory of 2336	1788	ms32.pif	39
PID 1788 wrote to memory of 2336	1788	ms32.pif	39
PID 1788 wrote to memory of 2336	1788	ms32.pif	39
PID 1788 wrote to memory of 2336	1788	ms32.pif	39

C:\Users\Admin\AppData\Local\Temp\aa31319b8c8b1c45fc73d75006d997d6.exe
"C:\Users\Admin\AppData\Local\Temp\aa31319b8c8b1c45fc73d75006d997d6.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\ms32.pif
  C:\Windows\system32\ms32.pif 468 "C:\Users\Admin\AppData\Local\Temp\aa31319b8c8b1c45fc73d75006d997d6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\ms32.pif
    C:\Windows\system32\ms32.pif 512 "C:\Windows\SysWOW64\ms32.pif"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\ms32.pif
      C:\Windows\system32\ms32.pif 508 "C:\Windows\SysWOW64\ms32.pif"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 520 "C:\Windows\SysWOW64\ms32.pif"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2032
      - C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 516 "C:\Windows\SysWOW64\ms32.pif"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 524 "C:\Windows\SysWOW64\ms32.pif"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 532 "C:\Windows\SysWOW64\ms32.pif"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 528 "C:\Windows\SysWOW64\ms32.pif"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 544 "C:\Windows\SysWOW64\ms32.pif"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 536 "C:\Windows\SysWOW64\ms32.pif"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ms32.pif

Filesize
63KB

MD5
aa31319b8c8b1c45fc73d75006d997d6

SHA1
22bff6b3e0ea8ded6fc076296825ca7b7b140320

SHA256
5a53191d8378099c73543f3f2259efcbaa41334a83a3661c55254dc010f20220

SHA512
1cac7b91647bdbb825826724fa97a02e39ae26621751cff087082057c810ddf7b1cf352c9d77099dbe085fe044257cc11849cb23c7383228d21b613eab27f092

Download Submit
memory/1372-59-0x0000000002650000-0x000000000269B000-memory.dmp

Filesize
300KB

Download
memory/1372-55-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1372-53-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1788-74-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1788-81-0x0000000001F90000-0x0000000001FDB000-memory.dmp

Filesize
300KB

Download
memory/1788-77-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1788-75-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2032-45-0x00000000023E0000-0x000000000242B000-memory.dmp

Filesize
300KB

Download
memory/2032-41-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2032-39-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2032-38-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2040-46-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2040-48-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2040-52-0x00000000023A0000-0x00000000023EB000-memory.dmp

Filesize
300KB

Download
memory/2100-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2100-16-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2100-6-0x0000000001CC0000-0x0000000001D0B000-memory.dmp

Filesize
300KB

Download
memory/2100-1-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2196-73-0x0000000001DD0000-0x0000000001E1B000-memory.dmp

Filesize
300KB

Download
memory/2196-67-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2196-69-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2336-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2336-83-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2336-85-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2392-37-0x0000000001FB0000-0x0000000001FFB000-memory.dmp

Filesize
300KB

Download
memory/2392-33-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2392-31-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2696-23-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2696-30-0x0000000000520000-0x000000000056B000-memory.dmp

Filesize
300KB

Download
memory/2696-26-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2696-24-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2888-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2888-66-0x0000000001DB0000-0x0000000001DFB000-memory.dmp

Filesize
300KB

Download
memory/2888-60-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3048-21-0x0000000001CE0000-0x0000000001D2B000-memory.dmp

Filesize
300KB

Download
memory/3048-22-0x0000000001CE0000-0x0000000001D2B000-memory.dmp

Filesize
300KB

Download
memory/3048-17-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3048-14-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/3048-13-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads