4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f

Analysis

max time kernel
52s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 17:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
Size

214KB
MD5

36d30d6f09573052d850e94431a2aca0
SHA1

ee7628e1dd82ac46b69e0e10ca14f46383ce76ec
SHA256

4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f
SHA512

6298975dcd394e175e42c341d768860caa3cff5182c9270b9f032126868739dc4ed227db65f4708df8e7da627cd1f10739abf21741ae5f7dc7ff2dbb428f9e72
SSDEEP

3072:CNk4UE8D/X3TGwNAq0j3OYFyQrHx5Oi1UmASIC0IDzz+r4Lkj3QJO2dBSn7:nHjKwR6OcrR5Oi1UmASIuzAn7

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\Identifier	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe

Suspicious behavior: MapViewOfSection 23 IoCs

pid	Process
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 372	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	5
PID 2044 wrote to memory of 372	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	5
PID 2044 wrote to memory of 372	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	5
PID 2044 wrote to memory of 372	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	5
PID 2044 wrote to memory of 372	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	5
PID 2044 wrote to memory of 372	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	5
PID 2044 wrote to memory of 372	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	5
PID 2044 wrote to memory of 380	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	4
PID 2044 wrote to memory of 380	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	4
PID 2044 wrote to memory of 380	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	4
PID 2044 wrote to memory of 380	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	4
PID 2044 wrote to memory of 380	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	4
PID 2044 wrote to memory of 380	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	4
PID 2044 wrote to memory of 380	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	4
PID 2044 wrote to memory of 420	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	3
PID 2044 wrote to memory of 420	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	3
PID 2044 wrote to memory of 420	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	3
PID 2044 wrote to memory of 420	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	3
PID 2044 wrote to memory of 420	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	3
PID 2044 wrote to memory of 420	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	3
PID 2044 wrote to memory of 420	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	3
PID 2044 wrote to memory of 464	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	2
PID 2044 wrote to memory of 464	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	2
PID 2044 wrote to memory of 464	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	2
PID 2044 wrote to memory of 464	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	2
PID 2044 wrote to memory of 464	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	2
PID 2044 wrote to memory of 464	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	2
PID 2044 wrote to memory of 464	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	2
PID 2044 wrote to memory of 480	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	1
PID 2044 wrote to memory of 480	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	1
PID 2044 wrote to memory of 480	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	1
PID 2044 wrote to memory of 480	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	1
PID 2044 wrote to memory of 480	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	1
PID 2044 wrote to memory of 480	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	1
PID 2044 wrote to memory of 480	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	1
PID 2044 wrote to memory of 488	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	8
PID 2044 wrote to memory of 488	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	8
PID 2044 wrote to memory of 488	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	8
PID 2044 wrote to memory of 488	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	8
PID 2044 wrote to memory of 488	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	8
PID 2044 wrote to memory of 488	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	8
PID 2044 wrote to memory of 488	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	8
PID 2044 wrote to memory of 592	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	27
PID 2044 wrote to memory of 592	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	27
PID 2044 wrote to memory of 592	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	27
PID 2044 wrote to memory of 592	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	27
PID 2044 wrote to memory of 592	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	27
PID 2044 wrote to memory of 592	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	27
PID 2044 wrote to memory of 592	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	27
PID 2044 wrote to memory of 672	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	26
PID 2044 wrote to memory of 672	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	26
PID 2044 wrote to memory of 672	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	26
PID 2044 wrote to memory of 672	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	26
PID 2044 wrote to memory of 672	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	26
PID 2044 wrote to memory of 672	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	26
PID 2044 wrote to memory of 672	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	26
PID 2044 wrote to memory of 736	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	25
PID 2044 wrote to memory of 736	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	25
PID 2044 wrote to memory of 736	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	25
PID 2044 wrote to memory of 736	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	25
PID 2044 wrote to memory of 736	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	25
PID 2044 wrote to memory of 736	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	25
PID 2044 wrote to memory of 736	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	25
PID 2044 wrote to memory of 808	2044	4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe	24

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:608
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:280
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1136
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1052
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:936
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:108
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:872
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:844
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:736
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "-777868835-881416397-667142324-16625593038126774781398432544643713651-1457817272"
  2⤵
  PID:1144

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1892

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1948

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288
- C:\Users\Admin\AppData\Local\Temp\4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe
  "C:\Users\Admin\AppData\Local\Temp\4dfdf59367589e5ac4a096b8b52f6ea1fc2be8d11e9e39822a3b847ee08da64f.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2044-54-0x0000000001000000-0x000000000103A000-memory.dmp

Filesize
232KB

Download