95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
Size

199KB
MD5

48ef7d0eb51b3a63832cdf9a0ff75270
SHA1

c6ba5a4d43b74a99089f1034e6b6035947e858d3
SHA256

95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b
SHA512

b71e704fcdce9481d017463d01915d626da3d5cbca0cf816d46343f595ff7e6fbc7014bff1d3c90df45251686ef4afed71643f6d9fb4be4e282c10b7472484f8
SSDEEP

3072:W2EQhaXe/i/iJijRjrxPVX/YvsGHhVVsrjW2+VIH0ae+ZDidKP:W1XDhjhxdPYbsrjx4Ixpr

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 368	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	24
PID 1980 wrote to memory of 368	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	24
PID 1980 wrote to memory of 368	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	24
PID 1980 wrote to memory of 368	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	24
PID 1980 wrote to memory of 368	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	24
PID 1980 wrote to memory of 368	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	24
PID 1980 wrote to memory of 368	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	24
PID 1980 wrote to memory of 380	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	23
PID 1980 wrote to memory of 380	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	23
PID 1980 wrote to memory of 380	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	23
PID 1980 wrote to memory of 380	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	23
PID 1980 wrote to memory of 380	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	23
PID 1980 wrote to memory of 380	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	23
PID 1980 wrote to memory of 380	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	23
PID 1980 wrote to memory of 416	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	22
PID 1980 wrote to memory of 416	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	22
PID 1980 wrote to memory of 416	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	22
PID 1980 wrote to memory of 416	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	22
PID 1980 wrote to memory of 416	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	22
PID 1980 wrote to memory of 416	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	22
PID 1980 wrote to memory of 416	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	22
PID 1980 wrote to memory of 460	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	2
PID 1980 wrote to memory of 460	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	2
PID 1980 wrote to memory of 460	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	2
PID 1980 wrote to memory of 460	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	2
PID 1980 wrote to memory of 460	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	2
PID 1980 wrote to memory of 460	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	2
PID 1980 wrote to memory of 460	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	2
PID 1980 wrote to memory of 476	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	1
PID 1980 wrote to memory of 476	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	1
PID 1980 wrote to memory of 476	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	1
PID 1980 wrote to memory of 476	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	1
PID 1980 wrote to memory of 476	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	1
PID 1980 wrote to memory of 476	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	1
PID 1980 wrote to memory of 476	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	1
PID 1980 wrote to memory of 484	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	21
PID 1980 wrote to memory of 484	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	21
PID 1980 wrote to memory of 484	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	21
PID 1980 wrote to memory of 484	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	21
PID 1980 wrote to memory of 484	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	21
PID 1980 wrote to memory of 484	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	21
PID 1980 wrote to memory of 484	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	21
PID 1980 wrote to memory of 580	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	20
PID 1980 wrote to memory of 580	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	20
PID 1980 wrote to memory of 580	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	20
PID 1980 wrote to memory of 580	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	20
PID 1980 wrote to memory of 580	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	20
PID 1980 wrote to memory of 580	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	20
PID 1980 wrote to memory of 580	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	20
PID 1980 wrote to memory of 656	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	3
PID 1980 wrote to memory of 656	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	3
PID 1980 wrote to memory of 656	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	3
PID 1980 wrote to memory of 656	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	3
PID 1980 wrote to memory of 656	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	3
PID 1980 wrote to memory of 656	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	3
PID 1980 wrote to memory of 656	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	3
PID 1980 wrote to memory of 720	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	19
PID 1980 wrote to memory of 720	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	19
PID 1980 wrote to memory of 720	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	19
PID 1980 wrote to memory of 720	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	19
PID 1980 wrote to memory of 720	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	19
PID 1980 wrote to memory of 720	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	19
PID 1980 wrote to memory of 720	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	19
PID 1980 wrote to memory of 788	1980	95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe	18

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:656
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:952
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:964
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1192
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1036
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:360
- - C:\Windows\system32\winlogon.exe
    winlogon.exe
    3⤵
    PID:416
- - C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    3⤵
    PID:380
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:296
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:860
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:836
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:788
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:720
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:580

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe
  "C:\Users\Admin\AppData\Local\Temp\95b924dd46157c0b106356d74c1934c5f37ffe5d8b296c2797fb30b1ff5aed1b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1980

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1912

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1956

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1272

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1980-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1980-55-0x0000000001000000-0x0000000001036000-memory.dmp

Filesize
216KB

Download
memory/1980-56-0x0000000001000000-0x0000000001036000-memory.dmp

Filesize
216KB

Download