57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 21:47

Target

57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe
Size

274KB
MD5

96f7c32a317e76ed3f47606e441044f1
SHA1

f1b64abd5201f6fd6c4f9b157960d3dcf046e419
SHA256

57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524
SHA512

188a3ce340bcddc6715d652e6edb80c306668a2b1b785aa4b8af3b434e01c65a211f39b70dc5354343b92f6f7a74760134c7e1c320918bac9a22dd4c1b1da860
SSDEEP

6144:bC2/JE6yw0XvK0mBRFjB2cM9X9Rxwm40:hJExZvK0mBRFscMrjC0

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
3832	systeini32

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\systeini32	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe
File opened for modification	C:\Windows\systeini32	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe
File created	C:\Windows\uninstal.bat	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe
Token: SeDebugPrivilege	3832	systeini32

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3832	systeini32

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 3540	3832	systeini32	85
PID 3832 wrote to memory of 3540	3832	systeini32	85
PID 864 wrote to memory of 4612	864	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe	89
PID 864 wrote to memory of 4612	864	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe	89
PID 864 wrote to memory of 4612	864	57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe	89

C:\Users\Admin\AppData\Local\Temp\57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe
"C:\Users\Admin\AppData\Local\Temp\57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4612

C:\Windows\systeini32
C:\Windows\systeini32
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3540

C:\Windows\systeini32

Filesize
274KB

MD5
96f7c32a317e76ed3f47606e441044f1

SHA1
f1b64abd5201f6fd6c4f9b157960d3dcf046e419

SHA256
57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524

SHA512
188a3ce340bcddc6715d652e6edb80c306668a2b1b785aa4b8af3b434e01c65a211f39b70dc5354343b92f6f7a74760134c7e1c320918bac9a22dd4c1b1da860

Download Submit
C:\Windows\systeini32

Filesize
274KB

MD5
96f7c32a317e76ed3f47606e441044f1

SHA1
f1b64abd5201f6fd6c4f9b157960d3dcf046e419

SHA256
57c74feece1c7c1d1c6a68c5855cbd0721b572a88e38161ed108e45841280524

SHA512
188a3ce340bcddc6715d652e6edb80c306668a2b1b785aa4b8af3b434e01c65a211f39b70dc5354343b92f6f7a74760134c7e1c320918bac9a22dd4c1b1da860

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
3b9db800f2f3db82cb89f6cea3504427

SHA1
92293e56d56cea57975003d1d875cb09ff148a64

SHA256
fdbc2428d1c1a8a148185d8ec4d3b1f434a1ab27cad0b2c1ce08734c9c9fc4fc

SHA512
00a79b5042332bd1c0d125145c07d286d347182cf7544eeb93cfaa37230ff46f596da272856d7d16a593cb6d5e3dde9013fba8b11983c2e71b3551a4ea002e33

Download Submit
memory/864-132-0x0000000000400000-0x0000000000507CC0-memory.dmp

Filesize
1.0MB

Download
memory/864-133-0x0000000000400000-0x0000000000507CC0-memory.dmp

Filesize
1.0MB

Download
memory/3832-136-0x0000000000400000-0x0000000000507CC0-memory.dmp

Filesize
1.0MB

Download
memory/3832-139-0x0000000000400000-0x0000000000507CC0-memory.dmp

Filesize
1.0MB

Download
memory/4612-137-0x0000000000000000-mapping.dmp

Download