77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe

Analysis

max time kernel
92s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
Size

116KB
MD5

9f00d80eb835f7f484268d57e6a6ef03
SHA1

6497fceeb3aca83dc5ef8cc2ef0b1e3ae99bb7c8
SHA256

77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe
SHA512

e2f9c946c06ad45f315723d7540b8372d1a3d3b6ace3c21f9ecd771918e74130e18148c8615e30aab7d5e6d46218a2eba5a3e286e7de0bd02338e0450ff5947d
SSDEEP

768:KBdqsf0UiNVqTIF+GCgqqIVQIJ8T7R4jpz:Q0jUmQdQIJW7REd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	r05012.exe

Loads dropped DLL 1 IoCs

pid	Process
2032	r05012.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rpcss.dll	r05012.exe
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	r05012.exe
File created	C:\Windows\SysWOW64\sh05012.dll	r05012.exe
File created	C:\Windows\SysWOW64\r05012.exe	77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
File opened for modification	C:\Windows\SysWOW64\r05012.exe	77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
File created	C:\Windows\SysWOW64\sh05012.ini	r05012.exe
File created	C:\Windows\SysWOW64\csrss.dll	r05012.exe
File opened for modification	C:\Windows\SysWOW64\csrss.dll	r05012.exe
File opened for modification	C:\Windows\SysWOW64\sh05012.dll	r05012.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2032	r05012.exe
2032	r05012.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	r05012.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2032	2420	77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe	78
PID 2420 wrote to memory of 2032	2420	77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe	78
PID 2420 wrote to memory of 2032	2420	77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe	78
PID 2032 wrote to memory of 3060	2032	r05012.exe	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3060
- C:\Users\Admin\AppData\Local\Temp\77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
  "C:\Users\Admin\AppData\Local\Temp\77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\r05012.exe
    C:\Windows\system32\r05012.exe C:\Users\Admin\AppData\Local\Temp\~e56d016.~~~ test C:\Users\Admin\AppData\Local\Temp\77e738195b289d61b98574a1ddaaaaec16f0acabf760b5e47db9e2adaabf12fe.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~e56d016.~~~

Filesize
45KB

MD5
7af0a427adbeb10d8fd085ac286e0133

SHA1
210ba973ea23dc266b44554cd2e5c62874173857

SHA256
2954ed080ca4b5dd141f164982004aa0fd18cc82f0ad59b695f50139b29b3b05

SHA512
b9c54a41207e9c40d2ac31d333fced14ca4fa44353b89b320aa08d6ed22d7b0cafcbb59fc2879ddb1f87fae77df3e02fec6d90d7d626c7e52eb7ecee30ace222

Download Submit
C:\Users\Admin\AppData\Local\Temp\~e56d016.~~~

Filesize
45KB

MD5
7af0a427adbeb10d8fd085ac286e0133

SHA1
210ba973ea23dc266b44554cd2e5c62874173857

SHA256
2954ed080ca4b5dd141f164982004aa0fd18cc82f0ad59b695f50139b29b3b05

SHA512
b9c54a41207e9c40d2ac31d333fced14ca4fa44353b89b320aa08d6ed22d7b0cafcbb59fc2879ddb1f87fae77df3e02fec6d90d7d626c7e52eb7ecee30ace222

Download Submit
C:\Windows\SysWOW64\r05012.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\r05012.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/2420-132-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2420-135-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download