77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe
Size

128KB
MD5

3308181cb745b218f57616f014285c44
SHA1

e8796386fd259227487d8ce2d80f39db4acb59fa
SHA256

77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd
SHA512

a7d1dae10791ae71b885442e17dac3fd491970c43e039f5bae2f4cdd7589d87e07d862d8b1369836fa4bb046b2d85cbc8d023cf3be9ee8d597cf8afb80c8806c
SSDEEP

1536:e8GasXvoUrE71JtRbRG4WowtDAlsMsy0nCTRuRt/yHB:e8HgGxfarASMsG9ct/yHB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1508	rcflye.exe

Deletes itself 1 IoCs

pid	Process
1288	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe
1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\rcflye.exe	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
664	1508	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe
1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe
1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe
1508	rcflye.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1508	1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe	27
PID 1084 wrote to memory of 1508	1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe	27
PID 1084 wrote to memory of 1508	1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe	27
PID 1084 wrote to memory of 1508	1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe	27
PID 1508 wrote to memory of 664	1508	rcflye.exe	28
PID 1508 wrote to memory of 664	1508	rcflye.exe	28
PID 1508 wrote to memory of 664	1508	rcflye.exe	28
PID 1508 wrote to memory of 664	1508	rcflye.exe	28
PID 1084 wrote to memory of 1288	1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe	29
PID 1084 wrote to memory of 1288	1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe	29
PID 1084 wrote to memory of 1288	1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe	29
PID 1084 wrote to memory of 1288	1084	77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe	29

C:\Users\Admin\AppData\Local\Temp\77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe
"C:\Users\Admin\AppData\Local\Temp\77d60a3b547e6d3f3a7f0fbde8772b354b1f4ad2170d91a6f710e2e8d366a0bd.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Program Files\rcflye.exe
  "C:\Program Files\rcflye.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 212
    3⤵
    - Program crash
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c afc9fe2f418b00a0.bat
  2⤵
  - Deletes itself
  PID:1288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\rcflye.exe

Filesize
50.1MB

MD5
2000270d7aeeac517a9fa1d6f8834b78

SHA1
8fd7b78090e8a9e46aa1307a8a94ede565964adb

SHA256
b3419323445583abd7457efbd6b48d15ddd0ad3e8103e1b03abbdcda9f9421de

SHA512
709894429963b8725a8c732ee8e31acaf62f26874d05d6a6469771088c428e8185fb08384c40158e1a6fb20994932640fa9408b2d1f0bcf7fb29fc91982f8de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
ba6dd8d966b4bd902a9af86a31f80e6b

SHA1
6e1ec295185fbe396d9a59641bf23ca6d8d87ad7

SHA256
caaedee37570ff037c758a021640a95d7c29c3799d5fe306f7681f91d6a60ac9

SHA512
8fde0360fee19792f52358b04c486a0fcf582e5e8cd2191ef56be1284d466ff82aaa30a52e3ad658a69165cf4a1c71293cee521e60baaef1216adf1c5b28eef4

Download Submit
\Program Files\rcflye.exe

Filesize
50.1MB

MD5
2000270d7aeeac517a9fa1d6f8834b78

SHA1
8fd7b78090e8a9e46aa1307a8a94ede565964adb

SHA256
b3419323445583abd7457efbd6b48d15ddd0ad3e8103e1b03abbdcda9f9421de

SHA512
709894429963b8725a8c732ee8e31acaf62f26874d05d6a6469771088c428e8185fb08384c40158e1a6fb20994932640fa9408b2d1f0bcf7fb29fc91982f8de7

Download Submit
\Program Files\rcflye.exe

Filesize
50.1MB

MD5
2000270d7aeeac517a9fa1d6f8834b78

SHA1
8fd7b78090e8a9e46aa1307a8a94ede565964adb

SHA256
b3419323445583abd7457efbd6b48d15ddd0ad3e8103e1b03abbdcda9f9421de

SHA512
709894429963b8725a8c732ee8e31acaf62f26874d05d6a6469771088c428e8185fb08384c40158e1a6fb20994932640fa9408b2d1f0bcf7fb29fc91982f8de7

Download Submit
memory/1508-58-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download