1290144f772581d872189713bb0fa06f9ddefbc34b96203daa1385428753c647

General

Target

RSW6103D401005.exe
Size

779KB
MD5

48896a706705d1f50165b0fbb89bef33
SHA1

a3c80ea7898c04955d246e5e38f82575873893d9
SHA256

1290144f772581d872189713bb0fa06f9ddefbc34b96203daa1385428753c647
SHA512

1762fd410bacb7ba3b5735fc14b9ca1a9f794ff59d3927e01dbebb8200629da546a49c1a49547df22fcf49b2f89190ea783141fdf8d00b31edd40b5520825197
SSDEEP

24576:RJIncPlNxuJEZk1Qe5bUgqpjBETR2TqOG3:RJznx6EZXe5b2p6T02F

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 2084	2156	RSW6103D401005.exe	28
PID 2084 set thread context of 1176	2084	RSW6103D401005.exe	21
PID 2084 set thread context of 2116	2084	RSW6103D401005.exe	31
PID 2116 set thread context of 1176	2116	TapiUnattend.exe	21

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2084	RSW6103D401005.exe
2084	RSW6103D401005.exe
2084	RSW6103D401005.exe
2084	RSW6103D401005.exe
2084	RSW6103D401005.exe
2084	RSW6103D401005.exe
2084	RSW6103D401005.exe
2084	RSW6103D401005.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2084	RSW6103D401005.exe
2084	RSW6103D401005.exe
2116	TapiUnattend.exe
2116	TapiUnattend.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2084	2156	RSW6103D401005.exe	28
PID 2156 wrote to memory of 2084	2156	RSW6103D401005.exe	28
PID 2156 wrote to memory of 2084	2156	RSW6103D401005.exe	28
PID 2156 wrote to memory of 2084	2156	RSW6103D401005.exe	28
PID 2156 wrote to memory of 2084	2156	RSW6103D401005.exe	28
PID 2156 wrote to memory of 2084	2156	RSW6103D401005.exe	28
PID 2156 wrote to memory of 2084	2156	RSW6103D401005.exe	28
PID 2084 wrote to memory of 2116	2084	RSW6103D401005.exe	31
PID 2084 wrote to memory of 2116	2084	RSW6103D401005.exe	31
PID 2084 wrote to memory of 2116	2084	RSW6103D401005.exe	31
PID 2084 wrote to memory of 2116	2084	RSW6103D401005.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\RSW6103D401005.exe
  "C:\Users\Admin\AppData\Local\Temp\RSW6103D401005.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\RSW6103D401005.exe
    "C:\Users\Admin\AppData\Local\Temp\RSW6103D401005.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\TapiUnattend.exe
      "C:\Windows\SysWOW64\TapiUnattend.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-18-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1176-19-0x0000000008E00000-0x000000000B1CD000-memory.dmp

Filesize
35.8MB

Download
memory/2084-13-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/2084-23-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/2084-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-17-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/2084-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-11-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2084-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2116-20-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2116-28-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2116-24-0x0000000001ED0000-0x00000000021D3000-memory.dmp

Filesize
3.0MB

Download
memory/2116-21-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2116-27-0x0000000001D40000-0x0000000001DE4000-memory.dmp

Filesize
656KB

Download
memory/2116-25-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2156-12-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-1-0x0000000000DA0000-0x0000000000E68000-memory.dmp

Filesize
800KB

Download
memory/2156-6-0x0000000000CE0000-0x0000000000D6A000-memory.dmp

Filesize
552KB

Download
memory/2156-5-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2156-4-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2156-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/2156-2-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-3-0x0000000000490000-0x00000000004AA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing