77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe

Analysis

max time kernel
42s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
Size

116KB
MD5

9f00d80eb835f7f484268d57e6a6ef03
SHA1

6497fceeb3aca83dc5ef8cc2ef0b1e3ae99bb7c8
SHA256

77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe
SHA512

e2f9c946c06ad45f315723d7540b8372d1a3d3b6ace3c21f9ecd771918e74130e18148c8615e30aab7d5e6d46218a2eba5a3e286e7de0bd02338e0450ff5947d
SSDEEP

768:KBdqsf0UiNVqTIF+GCgqqIVQIJ8T7R4jpz:Q0jUmQdQIJW7REd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1208	r05012.exe

Deletes itself 1 IoCs

pid	Process
1208	r05012.exe

Loads dropped DLL 2 IoCs

pid	Process
1652	77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
1208	r05012.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	r05012.exe
File created	C:\Windows\SysWOW64\sh05012.dll	r05012.exe
File created	C:\Windows\SysWOW64\r05012.exe	77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
File opened for modification	C:\Windows\SysWOW64\r05012.exe	77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
File created	C:\Windows\SysWOW64\sh05012.ini	r05012.exe
File created	C:\Windows\SysWOW64\csrss.dll	r05012.exe
File opened for modification	C:\Windows\SysWOW64\csrss.dll	r05012.exe
File created	C:\Windows\SysWOW64\rpcss.dll	r05012.exe
File opened for modification	C:\Windows\SysWOW64\sh05012.dll	r05012.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1208	r05012.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	r05012.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1208	1652	77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe	27
PID 1652 wrote to memory of 1208	1652	77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe	27
PID 1652 wrote to memory of 1208	1652	77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe	27
PID 1652 wrote to memory of 1208	1652	77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe	27
PID 1208 wrote to memory of 1212	1208	r05012.exe	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
  "C:\Users\Admin\AppData\Local\Temp\77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\r05012.exe
    C:\Windows\system32\r05012.exe C:\Users\Admin\AppData\Local\Temp\~6c2c7e.~~~ test C:\Users\Admin\AppData\Local\Temp\77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
    3⤵
    - Executes dropped EXE
    - Deletes itself
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~6c2c7e.~~~

Filesize
45KB

MD5
7af0a427adbeb10d8fd085ac286e0133

SHA1
210ba973ea23dc266b44554cd2e5c62874173857

SHA256
2954ed080ca4b5dd141f164982004aa0fd18cc82f0ad59b695f50139b29b3b05

SHA512
b9c54a41207e9c40d2ac31d333fced14ca4fa44353b89b320aa08d6ed22d7b0cafcbb59fc2879ddb1f87fae77df3e02fec6d90d7d626c7e52eb7ecee30ace222

Download Submit
C:\Windows\SysWOW64\r05012.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\r05012.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\Admin\AppData\Local\Temp\~6c2c7e.~~~

Filesize
45KB

MD5
7af0a427adbeb10d8fd085ac286e0133

SHA1
210ba973ea23dc266b44554cd2e5c62874173857

SHA256
2954ed080ca4b5dd141f164982004aa0fd18cc82f0ad59b695f50139b29b3b05

SHA512
b9c54a41207e9c40d2ac31d333fced14ca4fa44353b89b320aa08d6ed22d7b0cafcbb59fc2879ddb1f87fae77df3e02fec6d90d7d626c7e52eb7ecee30ace222

Download Submit
\Windows\SysWOW64\r05012.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1652-54-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download