0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84

Analysis

max time kernel
47s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
Size

128KB
MD5

6222bdfc7edea29ba9249ce01baf1fac
SHA1

924b5866b0d2fc17d9950750562fdfa50739e824
SHA256

0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84
SHA512

1bd45b2850a8c008cb9fb87a84dffc24a264e34dc62149e7441bbf415e54e01b8eb1185c6c73714f62e8480cd5b405b7191441329bb7d167989b4d880ad07156
SSDEEP

1536:D42zsCxSe8WYtXZUDEDMTGqycL71loTO9ZphmHLl7zl459WByJQ6k:D42oCogYtpUOstLRlcLl6WBqk

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 368	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	5
PID 1768 wrote to memory of 368	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	5
PID 1768 wrote to memory of 368	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	5
PID 1768 wrote to memory of 368	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	5
PID 1768 wrote to memory of 368	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	5
PID 1768 wrote to memory of 368	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	5
PID 1768 wrote to memory of 368	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	5
PID 1768 wrote to memory of 384	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	4
PID 1768 wrote to memory of 384	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	4
PID 1768 wrote to memory of 384	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	4
PID 1768 wrote to memory of 384	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	4
PID 1768 wrote to memory of 384	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	4
PID 1768 wrote to memory of 384	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	4
PID 1768 wrote to memory of 384	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	4
PID 1768 wrote to memory of 420	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	3
PID 1768 wrote to memory of 420	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	3
PID 1768 wrote to memory of 420	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	3
PID 1768 wrote to memory of 420	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	3
PID 1768 wrote to memory of 420	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	3
PID 1768 wrote to memory of 420	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	3
PID 1768 wrote to memory of 420	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	3
PID 1768 wrote to memory of 464	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	2
PID 1768 wrote to memory of 464	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	2
PID 1768 wrote to memory of 464	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	2
PID 1768 wrote to memory of 464	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	2
PID 1768 wrote to memory of 464	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	2
PID 1768 wrote to memory of 464	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	2
PID 1768 wrote to memory of 464	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	2
PID 1768 wrote to memory of 480	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	1
PID 1768 wrote to memory of 480	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	1
PID 1768 wrote to memory of 480	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	1
PID 1768 wrote to memory of 480	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	1
PID 1768 wrote to memory of 480	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	1
PID 1768 wrote to memory of 480	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	1
PID 1768 wrote to memory of 480	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	1
PID 1768 wrote to memory of 488	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	8
PID 1768 wrote to memory of 488	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	8
PID 1768 wrote to memory of 488	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	8
PID 1768 wrote to memory of 488	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	8
PID 1768 wrote to memory of 488	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	8
PID 1768 wrote to memory of 488	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	8
PID 1768 wrote to memory of 488	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	8
PID 1768 wrote to memory of 588	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	25
PID 1768 wrote to memory of 588	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	25
PID 1768 wrote to memory of 588	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	25
PID 1768 wrote to memory of 588	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	25
PID 1768 wrote to memory of 588	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	25
PID 1768 wrote to memory of 588	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	25
PID 1768 wrote to memory of 588	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	25
PID 1768 wrote to memory of 664	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	24
PID 1768 wrote to memory of 664	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	24
PID 1768 wrote to memory of 664	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	24
PID 1768 wrote to memory of 664	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	24
PID 1768 wrote to memory of 664	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	24
PID 1768 wrote to memory of 664	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	24
PID 1768 wrote to memory of 664	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	24
PID 1768 wrote to memory of 752	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	9
PID 1768 wrote to memory of 752	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	9
PID 1768 wrote to memory of 752	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	9
PID 1768 wrote to memory of 752	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	9
PID 1768 wrote to memory of 752	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	9
PID 1768 wrote to memory of 752	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	9
PID 1768 wrote to memory of 752	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	9
PID 1768 wrote to memory of 804	1768	0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe	23

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:752
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:844
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1032
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1236
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:272
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:340
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1456
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1172
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:868
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:804
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe
  "C:\Users\Admin\AppData\Local\Temp\0cbde79612409136d7921117272c8dba8edf8dfc6470bde1edc5598b2e0dec84.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1768

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1336

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1768-56-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/1768-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download