5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e

Analysis

max time kernel
152s
max time network
79s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe
Size

288KB
MD5

015e81d0d477035bafb0bc45572a8404
SHA1

578f633b5af77ee16aa1f69714a8779ab18d079c
SHA256

5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e
SHA512

d927b507b9b0d489660396c0e0740546f4384ff5df9ce395bb8b6823bc8eaafa5cedca16b7e28fc8b67e09c5dd0491f084b95f1441462e646403a1204633cb3a
SSDEEP

6144:MBz1YkFIVEzLK4tDOiSaARyDQckDaKtng:O1VmEHDOiARyUrmgg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1532	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1532	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Oole\Shahsvlcg.gif	5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe
File created	C:\Program Files (x86)\Oole\Shahsvlcg.gif	5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\sou2077000.dll	5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1412	5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe
Token: SeRestorePrivilege	1412	5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe
Token: SeBackupPrivilege	1412	5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe
Token: SeRestorePrivilege	1412	5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe
Token: SeBackupPrivilege	1412	5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe
Token: SeRestorePrivilege	1412	5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe
Token: SeBackupPrivilege	1412	5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe
Token: SeRestorePrivilege	1412	5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe

C:\Users\Admin\AppData\Local\Temp\5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe
"C:\Users\Admin\AppData\Local\Temp\5e633779556aaf1b48c5dc6e8682291d6d99b4dcb090f5a50da673c8c0cd315e.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k sougou
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\windows\sou2077000.dll

Filesize
205KB

MD5
bed78f27a7ab9a7fdbd950ca7bbfd730

SHA1
3f873908ca93f3b05f690481ff829e47676947d7

SHA256
b99cb17b11778fe0e13860661c98056a311ab887e89cd6e6dfd77a5b9a9ad82b

SHA512
a0b990f9d540a6c71ddbd8e74f0d26066e1b1e53dc010db29808e587dafe7aa5cb5e9de72429127517392370c4d9ab6bdca1519c271506606fedac4348c5e4de

Download Submit
\??\c:\Win_lj.ini

Filesize
128B

MD5
1c1066f210a6c88267539054d11dfb8a

SHA1
88d20c3a1209f16df33d73354ca81dc2be19f3fb

SHA256
5db566266be3561561bbd0ac997ce4f044efd172879871cb7710385559a277fe

SHA512
1df7378c5cb2f73a1b1c59a438d2eb968c928dbdda30a341c09dd91bc41d66781d07461adef3c05edcdb08a8ffb1d11af97e6b881dacc5e7e596d4f1c564d572

Download Submit
\??\c:\program files (x86)\oole\shahsvlcg.gif

Filesize
16.8MB

MD5
0afc4e72de51f96b7db0d91ef9b6a846

SHA1
554a726d5ac6eb18c0178eda920bd741c000ffb7

SHA256
9d43f506a47c1d0b846438eb4793618518017ea1433348b621804f8e0c57b333

SHA512
762d1788e49950e429f73ba25cfc89c63a69d4465a3fb54a5e087c59cc85db6b5cb647603ea5a5921f1c7d034f97e90223dd5e8a33e4e7c15451f629eb515fe5

Download Submit
\Program Files (x86)\Oole\Shahsvlcg.gif

Filesize
16.8MB

MD5
0afc4e72de51f96b7db0d91ef9b6a846

SHA1
554a726d5ac6eb18c0178eda920bd741c000ffb7

SHA256
9d43f506a47c1d0b846438eb4793618518017ea1433348b621804f8e0c57b333

SHA512
762d1788e49950e429f73ba25cfc89c63a69d4465a3fb54a5e087c59cc85db6b5cb647603ea5a5921f1c7d034f97e90223dd5e8a33e4e7c15451f629eb515fe5

Download Submit
memory/1412-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1412-56-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/1412-57-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/1532-62-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download