Analysis
-
max time kernel
152s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
05/02/2022, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
55c9174f8e46852cecde40c6816bdb6758b033113a6383dc1bcebdf77fd63be4.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
55c9174f8e46852cecde40c6816bdb6758b033113a6383dc1bcebdf77fd63be4.exe
Resource
win10v2004-en-20220113
0 signatures
0 seconds
General
-
Target
55c9174f8e46852cecde40c6816bdb6758b033113a6383dc1bcebdf77fd63be4.exe
-
Size
222KB
-
MD5
00bfe3c9df49cc312e8f831c2fb122b4
-
SHA1
f4523061afa1b2e538b869a93a6f39e712685e66
-
SHA256
55c9174f8e46852cecde40c6816bdb6758b033113a6383dc1bcebdf77fd63be4
-
SHA512
f78de5528e6c59d6b463a7cc341b07d3104da5c9020b53872665e15fe85a387f4e7a029492ec0cc76e0923e89952e5feafea2460043bad84763f14da2237974d
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 4184 svchost.exe Token: SeCreatePagefilePrivilege 4184 svchost.exe Token: SeShutdownPrivilege 4184 svchost.exe Token: SeCreatePagefilePrivilege 4184 svchost.exe Token: SeShutdownPrivilege 4184 svchost.exe Token: SeCreatePagefilePrivilege 4184 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55c9174f8e46852cecde40c6816bdb6758b033113a6383dc1bcebdf77fd63be4.exe"C:\Users\Admin\AppData\Local\Temp\55c9174f8e46852cecde40c6816bdb6758b033113a6383dc1bcebdf77fd63be4.exe"1⤵PID:4396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4184