5a53191d8378099c73543f3f2259efcbaa41334a83a3661c55254dc010f20220

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2024, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa31319b8c8b1c45fc73d75006d997d6.exe
Size

63KB
MD5

aa31319b8c8b1c45fc73d75006d997d6
SHA1

22bff6b3e0ea8ded6fc076296825ca7b7b140320
SHA256

5a53191d8378099c73543f3f2259efcbaa41334a83a3661c55254dc010f20220
SHA512

1cac7b91647bdbb825826724fa97a02e39ae26621751cff087082057c810ddf7b1cf352c9d77099dbe085fe044257cc11849cb23c7383228d21b613eab27f092
SSDEEP

1536:JJuNxBVJE0zOWQQ7zEF9BrtQMiIbT8wIyHSAE:J4xBVJE0/zEF9ZK/mT1yp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
1676	ms32.pif
2504	ms32.pif
4072	ms32.pif
4320	ms32.pif
1628	ms32.pif
2164	ms32.pif
2120	ms32.pif
1804	ms32.pif
4772	ms32.pif
5004	ms32.pif

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	aa31319b8c8b1c45fc73d75006d997d6.exe
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	aa31319b8c8b1c45fc73d75006d997d6.exe
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File created	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif
File opened for modification	C:\Windows\SysWOW64\ms32.pif	ms32.pif

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1676	2572	aa31319b8c8b1c45fc73d75006d997d6.exe	96
PID 2572 wrote to memory of 1676	2572	aa31319b8c8b1c45fc73d75006d997d6.exe	96
PID 2572 wrote to memory of 1676	2572	aa31319b8c8b1c45fc73d75006d997d6.exe	96
PID 1676 wrote to memory of 2504	1676	ms32.pif	98
PID 1676 wrote to memory of 2504	1676	ms32.pif	98
PID 1676 wrote to memory of 2504	1676	ms32.pif	98
PID 2504 wrote to memory of 4072	2504	ms32.pif	101
PID 2504 wrote to memory of 4072	2504	ms32.pif	101
PID 2504 wrote to memory of 4072	2504	ms32.pif	101
PID 4072 wrote to memory of 4320	4072	ms32.pif	104
PID 4072 wrote to memory of 4320	4072	ms32.pif	104
PID 4072 wrote to memory of 4320	4072	ms32.pif	104
PID 4320 wrote to memory of 1628	4320	ms32.pif	105
PID 4320 wrote to memory of 1628	4320	ms32.pif	105
PID 4320 wrote to memory of 1628	4320	ms32.pif	105
PID 1628 wrote to memory of 2164	1628	ms32.pif	106
PID 1628 wrote to memory of 2164	1628	ms32.pif	106
PID 1628 wrote to memory of 2164	1628	ms32.pif	106
PID 2164 wrote to memory of 2120	2164	ms32.pif	107
PID 2164 wrote to memory of 2120	2164	ms32.pif	107
PID 2164 wrote to memory of 2120	2164	ms32.pif	107
PID 2120 wrote to memory of 1804	2120	ms32.pif	110
PID 2120 wrote to memory of 1804	2120	ms32.pif	110
PID 2120 wrote to memory of 1804	2120	ms32.pif	110
PID 1804 wrote to memory of 4772	1804	ms32.pif	111
PID 1804 wrote to memory of 4772	1804	ms32.pif	111
PID 1804 wrote to memory of 4772	1804	ms32.pif	111
PID 4772 wrote to memory of 5004	4772	ms32.pif	112
PID 4772 wrote to memory of 5004	4772	ms32.pif	112
PID 4772 wrote to memory of 5004	4772	ms32.pif	112

C:\Users\Admin\AppData\Local\Temp\aa31319b8c8b1c45fc73d75006d997d6.exe
"C:\Users\Admin\AppData\Local\Temp\aa31319b8c8b1c45fc73d75006d997d6.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\ms32.pif
  C:\Windows\system32\ms32.pif 1112 "C:\Users\Admin\AppData\Local\Temp\aa31319b8c8b1c45fc73d75006d997d6.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\ms32.pif
    C:\Windows\system32\ms32.pif 1068 "C:\Windows\SysWOW64\ms32.pif"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\ms32.pif
      C:\Windows\system32\ms32.pif 1100 "C:\Windows\SysWOW64\ms32.pif"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 1096 "C:\Windows\SysWOW64\ms32.pif"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 1116 "C:\Windows\SysWOW64\ms32.pif"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 1104 "C:\Windows\SysWOW64\ms32.pif"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 1032 "C:\Windows\SysWOW64\ms32.pif"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 1120 "C:\Windows\SysWOW64\ms32.pif"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 1124 "C:\Windows\SysWOW64\ms32.pif"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\ms32.pif
        
        C:\Windows\system32\ms32.pif 1128 "C:\Windows\SysWOW64\ms32.pif"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1432 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ms32.pif

Filesize
19KB

MD5
30fc5f7bfa5f835ffb531f40060f7d40

SHA1
49be18030556b21b1330ea3cb4121c8b5771ebf3

SHA256
2d124bfb3e96530b19f8eac730a1d91ad558ba9a8f1d024cbc1f8af81794f5fa

SHA512
cc08a7ccfa5936fc4a90bcf4cb6d726ff90537f03cdce83b699f95704e7c9353ab3e96f7f884a6c554a647d031408e3d5f48a57f4aeff774c932776201fe1a35

Download Submit
C:\Windows\SysWOW64\ms32.pif

Filesize
63KB

MD5
aa31319b8c8b1c45fc73d75006d997d6

SHA1
22bff6b3e0ea8ded6fc076296825ca7b7b140320

SHA256
5a53191d8378099c73543f3f2259efcbaa41334a83a3661c55254dc010f20220

SHA512
1cac7b91647bdbb825826724fa97a02e39ae26621751cff087082057c810ddf7b1cf352c9d77099dbe085fe044257cc11849cb23c7383228d21b613eab27f092

Download Submit
memory/1628-24-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/1628-26-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1676-10-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1676-8-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/1804-37-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1804-35-0x00000000006B0000-0x00000000006B2000-memory.dmp

Filesize
8KB

Download
memory/2120-33-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2120-31-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/2164-29-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2504-12-0x0000000002050000-0x0000000002052000-memory.dmp

Filesize
8KB

Download
memory/2504-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2572-9-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2572-1-0x0000000000530000-0x0000000000532000-memory.dmp

Filesize
8KB

Download
memory/2572-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4072-16-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/4072-18-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4320-22-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4320-20-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/4772-40-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5004-42-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads