7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5

Analysis

max time kernel
55s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe
Size

2.5MB
MD5

a0558c99404735d0e1281efa488fb98d
SHA1

2414772a41b57f9e556dcbe955711191a2db06b1
SHA256

7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5
SHA512

001a289c95c2155c4c88f1be53226ba9b7b0b5ceae7542092eefe91d1aa5140a47014afc576c4b3a45dc72c181e0a58301b45a1b038878e4df35d3ab5c2a1d69
SSDEEP

24576:woTeEqAgbv+zwJEYLQjggOYNYNk6qM4BMYNT6wdwScagc9Irkz6U+1gLkAAl3RuW:DiXLvXJrUjgaBRvIYz6U+1godl3

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 98456	1684	7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe	28

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
98564	powershell.exe
98628	powershell.exe
98688	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	98564	powershell.exe
Token: SeDebugPrivilege	98628	powershell.exe
Token: SeDebugPrivilege	98688	powershell.exe
Token: SeDebugPrivilege	98456	AppLaunch.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 98456	1684	7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe	28
PID 1684 wrote to memory of 98456	1684	7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe	28
PID 1684 wrote to memory of 98456	1684	7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe	28
PID 1684 wrote to memory of 98456	1684	7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe	28
PID 1684 wrote to memory of 98456	1684	7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe	28
PID 1684 wrote to memory of 98456	1684	7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe	28
PID 1684 wrote to memory of 98456	1684	7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe	28
PID 1684 wrote to memory of 98456	1684	7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe	28
PID 1684 wrote to memory of 98456	1684	7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe	28
PID 98456 wrote to memory of 98520	98456	AppLaunch.exe	29
PID 98456 wrote to memory of 98520	98456	AppLaunch.exe	29
PID 98456 wrote to memory of 98520	98456	AppLaunch.exe	29
PID 98456 wrote to memory of 98520	98456	AppLaunch.exe	29
PID 98456 wrote to memory of 98520	98456	AppLaunch.exe	29
PID 98456 wrote to memory of 98520	98456	AppLaunch.exe	29
PID 98456 wrote to memory of 98520	98456	AppLaunch.exe	29
PID 98520 wrote to memory of 98548	98520	cmd.exe	31
PID 98520 wrote to memory of 98548	98520	cmd.exe	31
PID 98520 wrote to memory of 98548	98520	cmd.exe	31
PID 98520 wrote to memory of 98548	98520	cmd.exe	31
PID 98520 wrote to memory of 98548	98520	cmd.exe	31
PID 98520 wrote to memory of 98548	98520	cmd.exe	31
PID 98520 wrote to memory of 98548	98520	cmd.exe	31
PID 98520 wrote to memory of 98564	98520	cmd.exe	32
PID 98520 wrote to memory of 98564	98520	cmd.exe	32
PID 98520 wrote to memory of 98564	98520	cmd.exe	32
PID 98520 wrote to memory of 98564	98520	cmd.exe	32
PID 98520 wrote to memory of 98564	98520	cmd.exe	32
PID 98520 wrote to memory of 98564	98520	cmd.exe	32
PID 98520 wrote to memory of 98564	98520	cmd.exe	32
PID 98520 wrote to memory of 98628	98520	cmd.exe	33
PID 98520 wrote to memory of 98628	98520	cmd.exe	33
PID 98520 wrote to memory of 98628	98520	cmd.exe	33
PID 98520 wrote to memory of 98628	98520	cmd.exe	33
PID 98520 wrote to memory of 98628	98520	cmd.exe	33
PID 98520 wrote to memory of 98628	98520	cmd.exe	33
PID 98520 wrote to memory of 98628	98520	cmd.exe	33
PID 98520 wrote to memory of 98688	98520	cmd.exe	34
PID 98520 wrote to memory of 98688	98520	cmd.exe	34
PID 98520 wrote to memory of 98688	98520	cmd.exe	34
PID 98520 wrote to memory of 98688	98520	cmd.exe	34
PID 98520 wrote to memory of 98688	98520	cmd.exe	34
PID 98520 wrote to memory of 98688	98520	cmd.exe	34
PID 98520 wrote to memory of 98688	98520	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe
"C:\Users\Admin\AppData\Local\Temp\7868902be03dc14617234072ae7ced6389f0044e7362a703b51759c48e9658d5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:98456
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:98520
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:98548
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:98564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:98628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:98688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2837cf58ae22a222306cc7c880d4e7f3

SHA1
6928d3c3fb3d0c7a1533e67fd3bef2b9abc64936

SHA256
e1959cad93d5a977e395267cc189f962192eaadaef5c5b80d98aa27ac9a3e0db

SHA512
22703703035f34997cb00952751cd491ac1aa877cf553757d897b82d9789ea602819c573edefe2568fcb2fe60b32e2d19b84975761697ff0da8fef2b5024d505

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2837cf58ae22a222306cc7c880d4e7f3

SHA1
6928d3c3fb3d0c7a1533e67fd3bef2b9abc64936

SHA256
e1959cad93d5a977e395267cc189f962192eaadaef5c5b80d98aa27ac9a3e0db

SHA512
22703703035f34997cb00952751cd491ac1aa877cf553757d897b82d9789ea602819c573edefe2568fcb2fe60b32e2d19b84975761697ff0da8fef2b5024d505

Download Submit
memory/98456-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/98456-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/98456-64-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/98456-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/98456-61-0x000000000040531E-mapping.dmp

Download
memory/98456-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/98520-65-0x0000000000000000-mapping.dmp

Download
memory/98548-67-0x0000000000000000-mapping.dmp

Download
memory/98564-72-0x000000006FD60000-0x000000007030B000-memory.dmp

Filesize
5.7MB

Download
memory/98564-71-0x000000006FD60000-0x000000007030B000-memory.dmp

Filesize
5.7MB

Download
memory/98564-69-0x0000000000000000-mapping.dmp

Download
memory/98628-73-0x0000000000000000-mapping.dmp

Download
memory/98628-76-0x000000006FD10000-0x00000000702BB000-memory.dmp

Filesize
5.7MB

Download
memory/98688-77-0x0000000000000000-mapping.dmp

Download
memory/98688-81-0x000000006FAB0000-0x000000007005B000-memory.dmp

Filesize
5.7MB

Download