3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475

Analysis

max time kernel
149s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 17:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe
Size

268KB
MD5

61a3f4dc0c69aeeb46c92f132cddd870
SHA1

6ab84efdfaba0e5704c5d52dc3736d037b81e73e
SHA256

3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475
SHA512

3c18360cb42ac23ef1b63770ee902c851bfea35f44f2dc549549d089fc54e0ca6857b51531fdca95865619ee189a9628f467ab0b5f6cf0c2a9fd990cf4b10d4d
SSDEEP

6144:efE6CjxeDRvLrtJ7zsVPcHqLPcvgV0mQkrWKa:eLIx4J70PcHq4U05aWKa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1068	~D35463.tmp
1044	~D35464.tmp

Deletes itself 1 IoCs

pid	Process
1044	~D35464.tmp

Loads dropped DLL 6 IoCs

pid	Process
576	3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe
576	3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe
576	3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe
576	3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe
1068	~D35463.tmp
1284	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1284 set thread context of 1928	1284	notepad.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1928	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1928	svchost.exe
Token: SeRestorePrivilege	1928	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1068	~D35463.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1068	576	3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe	26
PID 576 wrote to memory of 1068	576	3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe	26
PID 576 wrote to memory of 1068	576	3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe	26
PID 576 wrote to memory of 1068	576	3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe	26
PID 576 wrote to memory of 1044	576	3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe	27
PID 576 wrote to memory of 1044	576	3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe	27
PID 576 wrote to memory of 1044	576	3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe	27
PID 576 wrote to memory of 1044	576	3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe	27
PID 1068 wrote to memory of 1284	1068	~D35463.tmp	28
PID 1068 wrote to memory of 1284	1068	~D35463.tmp	28
PID 1068 wrote to memory of 1284	1068	~D35463.tmp	28
PID 1068 wrote to memory of 1284	1068	~D35463.tmp	28
PID 1284 wrote to memory of 1928	1284	notepad.exe	29
PID 1284 wrote to memory of 1928	1284	notepad.exe	29
PID 1284 wrote to memory of 1928	1284	notepad.exe	29
PID 1284 wrote to memory of 1928	1284	notepad.exe	29
PID 1284 wrote to memory of 1928	1284	notepad.exe	29
PID 1284 wrote to memory of 1928	1284	notepad.exe	29
PID 1284 wrote to memory of 1928	1284	notepad.exe	29
PID 1284 wrote to memory of 1928	1284	notepad.exe	29
PID 1284 wrote to memory of 1928	1284	notepad.exe	29

C:\Users\Admin\AppData\Local\Temp\3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe
"C:\Users\Admin\AppData\Local\Temp\3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\~D35463.tmp
  C:\Users\Admin\AppData\Local\Temp\~D35463.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1928
- C:\Users\Admin\AppData\Local\Temp\~D35464.tmp
  C:\Users\Admin\AppData\Local\Temp\~D35464.tmp C:\Users\Admin\AppData\Local\Temp\3c736646c78e1f7bbf22f90f30a9f9ad9aca49427ccbd847a9a6f1ff7c2bc475.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  PID:1044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.dat

Filesize
26KB

MD5
89e654895fec3fea8b3ae8192a861353

SHA1
e9c6d421087e70e2cb9f00e5e4bcc7ac7c468c3a

SHA256
cba8cf06c61bc4f473bfaf8fd84210937d80454cd4e4fbef4859492e35d6697c

SHA512
5be58887f4305c1ce1c5f413b7999dde684e272b5752d3651065bf24d1366d462138578e647022e15c21fc2df954d329b8956cdbb5c7d724618243012289bb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.dll

Filesize
11KB

MD5
b06646726470df933f96d867f4d29192

SHA1
79d75e113f41827bc28057379c236a7eca1202d8

SHA256
42460a417791bfcbb8027422c8f00941a36c2e96f2a3073ef0675ac757ee956c

SHA512
35c2f7400d80c23a815ebb4e66f551173345f1cbc4ae04c85bfb1634a4e9dbe0302744d09a12a04a39de957ead6b4b8a727a0d93a73affc26ac98e3cebfe9777

Download Submit
C:\Users\Admin\AppData\Local\Temp\~D35463.tmp

Filesize
148KB

MD5
61cd0847c13c74f324867ecf9b876192

SHA1
68a424cd05b9812c24a176ae96114003510cadf6

SHA256
9a53dfe13e5761cdee8d66a58234596971d6aa947f7736dd39421aebea2d7290

SHA512
8ccb3f4a24a3163d911cfba4b1846999dd61c5f58f6b8553d48f547560ec8020f6e50dd6edf6c9e5b2d61df728816b70f7ac149dfe1edab2868dd1f241de16bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\~D35464.tmp

Filesize
36KB

MD5
187b9ad6e09eeae46931101cbba8231a

SHA1
114f6cdf56ef6aa528c1d2e7386637d6220d0186

SHA256
309a14db741cf633d05f469cb294db5da2812b8c37d2f2615cc9bdbb1a32b589

SHA512
fc194670a22ffeb6d8d47f6522666a7522ba1c739ffdffdb4d7ddd6448aa4640df3ef4c4a52249f8cdea2f112898c56393826c18e208fea9adb109f9e78f0f0b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.dll

Filesize
11KB

MD5
b06646726470df933f96d867f4d29192

SHA1
79d75e113f41827bc28057379c236a7eca1202d8

SHA256
42460a417791bfcbb8027422c8f00941a36c2e96f2a3073ef0675ac757ee956c

SHA512
35c2f7400d80c23a815ebb4e66f551173345f1cbc4ae04c85bfb1634a4e9dbe0302744d09a12a04a39de957ead6b4b8a727a0d93a73affc26ac98e3cebfe9777

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.dll

Filesize
11KB

MD5
b06646726470df933f96d867f4d29192

SHA1
79d75e113f41827bc28057379c236a7eca1202d8

SHA256
42460a417791bfcbb8027422c8f00941a36c2e96f2a3073ef0675ac757ee956c

SHA512
35c2f7400d80c23a815ebb4e66f551173345f1cbc4ae04c85bfb1634a4e9dbe0302744d09a12a04a39de957ead6b4b8a727a0d93a73affc26ac98e3cebfe9777

Download Submit
\Users\Admin\AppData\Local\Temp\~D35463.tmp

Filesize
148KB

MD5
61cd0847c13c74f324867ecf9b876192

SHA1
68a424cd05b9812c24a176ae96114003510cadf6

SHA256
9a53dfe13e5761cdee8d66a58234596971d6aa947f7736dd39421aebea2d7290

SHA512
8ccb3f4a24a3163d911cfba4b1846999dd61c5f58f6b8553d48f547560ec8020f6e50dd6edf6c9e5b2d61df728816b70f7ac149dfe1edab2868dd1f241de16bf

Download Submit
\Users\Admin\AppData\Local\Temp\~D35463.tmp

Filesize
148KB

MD5
61cd0847c13c74f324867ecf9b876192

SHA1
68a424cd05b9812c24a176ae96114003510cadf6

SHA256
9a53dfe13e5761cdee8d66a58234596971d6aa947f7736dd39421aebea2d7290

SHA512
8ccb3f4a24a3163d911cfba4b1846999dd61c5f58f6b8553d48f547560ec8020f6e50dd6edf6c9e5b2d61df728816b70f7ac149dfe1edab2868dd1f241de16bf

Download Submit
\Users\Admin\AppData\Local\Temp\~D35464.tmp

Filesize
36KB

MD5
187b9ad6e09eeae46931101cbba8231a

SHA1
114f6cdf56ef6aa528c1d2e7386637d6220d0186

SHA256
309a14db741cf633d05f469cb294db5da2812b8c37d2f2615cc9bdbb1a32b589

SHA512
fc194670a22ffeb6d8d47f6522666a7522ba1c739ffdffdb4d7ddd6448aa4640df3ef4c4a52249f8cdea2f112898c56393826c18e208fea9adb109f9e78f0f0b

Download Submit
\Users\Admin\AppData\Local\Temp\~D35464.tmp

Filesize
36KB

MD5
187b9ad6e09eeae46931101cbba8231a

SHA1
114f6cdf56ef6aa528c1d2e7386637d6220d0186

SHA256
309a14db741cf633d05f469cb294db5da2812b8c37d2f2615cc9bdbb1a32b589

SHA512
fc194670a22ffeb6d8d47f6522666a7522ba1c739ffdffdb4d7ddd6448aa4640df3ef4c4a52249f8cdea2f112898c56393826c18e208fea9adb109f9e78f0f0b

Download Submit
memory/576-54-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/1928-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1928-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1928-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1928-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1928-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1928-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1928-78-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download