57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524

Analysis

max time kernel
150s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe
Size

274KB
MD5

96f7c32a317e76ed3f47606e441044f1
SHA1

f1b64abd5201f6fd6c4f9b157960d3dcf046e419
SHA256

57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524
SHA512

188a3ce340bcddc6715d652e6edb80c306668a2b1b785aa4b8af3b434e01c65a211f39b70dc5354343b92f6f7a74760134c7e1c320918bac9a22dd4c1b1da860
SSDEEP

6144:bC2/JE6yw0XvK0mBRFjB2cM9X9Rxwm40:hJExZvK0mBRFscMrjC0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
748	systeini32

Deletes itself 1 IoCs

pid	Process
1568	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\systeini32	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe
File opened for modification	C:\Windows\systeini32	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe
File created	C:\Windows\uninstal.bat	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe
Token: SeDebugPrivilege	748	systeini32

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
748	systeini32

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1528	748	systeini32	29
PID 748 wrote to memory of 1528	748	systeini32	29
PID 748 wrote to memory of 1528	748	systeini32	29
PID 748 wrote to memory of 1528	748	systeini32	29
PID 1284 wrote to memory of 1568	1284	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe	30
PID 1284 wrote to memory of 1568	1284	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe	30
PID 1284 wrote to memory of 1568	1284	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe	30
PID 1284 wrote to memory of 1568	1284	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe	30
PID 1284 wrote to memory of 1568	1284	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe	30
PID 1284 wrote to memory of 1568	1284	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe	30
PID 1284 wrote to memory of 1568	1284	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe	30

C:\Users\Admin\AppData\Local\Temp\57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe
"C:\Users\Admin\AppData\Local\Temp\57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:1568

C:\Windows\systeini32
C:\Windows\systeini32
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:748
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\systeini32

Filesize
274KB

MD5
96f7c32a317e76ed3f47606e441044f1

SHA1
f1b64abd5201f6fd6c4f9b157960d3dcf046e419

SHA256
57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524

SHA512
188a3ce340bcddc6715d652e6edb80c306668a2b1b785aa4b8af3b434e01c65a211f39b70dc5354343b92f6f7a74760134c7e1c320918bac9a22dd4c1b1da860

Download Submit
C:\Windows\systeini32

Filesize
274KB

MD5
96f7c32a317e76ed3f47606e441044f1

SHA1
f1b64abd5201f6fd6c4f9b157960d3dcf046e419

SHA256
57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524

SHA512
188a3ce340bcddc6715d652e6edb80c306668a2b1b785aa4b8af3b434e01c65a211f39b70dc5354343b92f6f7a74760134c7e1c320918bac9a22dd4c1b1da860

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
3b9db800f2f3db82cb89f6cea3504427

SHA1
92293e56d56cea57975003d1d875cb09ff148a64

SHA256
fdbc2428d1c1a8a148185d8ec4d3b1f434a1ab27cad0b2c1ce08734c9c9fc4fc

SHA512
00a79b5042332bd1c0d125145c07d286d347182cf7544eeb93cfaa37230ff46f596da272856d7d16a593cb6d5e3dde9013fba8b11983c2e71b3551a4ea002e33

Download Submit
memory/748-60-0x0000000000400000-0x0000000000507CC0-memory.dmp

Filesize
1.0MB

Download
memory/748-63-0x0000000000400000-0x0000000000507CC0-memory.dmp

Filesize
1.0MB

Download
memory/1284-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1284-55-0x0000000000400000-0x0000000000507CC0-memory.dmp

Filesize
1.0MB

Download
memory/1284-56-0x0000000000400000-0x0000000000507CC0-memory.dmp

Filesize
1.0MB

Download
memory/1568-61-0x0000000000000000-mapping.dmp

Download