f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1

Analysis

max time kernel
38s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe
Size

12KB
MD5

a083ef50cb0f661815d39f820c9b0a40
SHA1

5d3306e4270cbd0d035d602d6f5488a96d7b2aac
SHA256

f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1
SHA512

c6622e716d87af025b6f312d49f76ae8e0e3095995dca0009da0f3503565d4ac09920681ba9acfc40e1b9b92d66216ecfd659b7130a2a5b3ccb0b0508b61b6ae
SSDEEP

192:W/WmbzFgZqnO7t262dwwXBbJCfo3+n0svoDW/vo4AbRQhbjpBnMbDAVlDRh:bmbzFgZEiYJ9q1/vUS

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1816	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
920	1964	WerFault.exe	15

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 280	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	28
PID 1964 wrote to memory of 280	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	28
PID 1964 wrote to memory of 280	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	28
PID 1964 wrote to memory of 280	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	28
PID 280 wrote to memory of 1668	280	cmd.exe	30
PID 280 wrote to memory of 1668	280	cmd.exe	30
PID 280 wrote to memory of 1668	280	cmd.exe	30
PID 280 wrote to memory of 1668	280	cmd.exe	30
PID 1964 wrote to memory of 1684	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	31
PID 1964 wrote to memory of 1684	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	31
PID 1964 wrote to memory of 1684	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	31
PID 1964 wrote to memory of 1684	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	31
PID 1684 wrote to memory of 1568	1684	cmd.exe	33
PID 1684 wrote to memory of 1568	1684	cmd.exe	33
PID 1684 wrote to memory of 1568	1684	cmd.exe	33
PID 1684 wrote to memory of 1568	1684	cmd.exe	33
PID 1964 wrote to memory of 1600	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	34
PID 1964 wrote to memory of 1600	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	34
PID 1964 wrote to memory of 1600	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	34
PID 1964 wrote to memory of 1600	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	34
PID 1964 wrote to memory of 1500	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	36
PID 1964 wrote to memory of 1500	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	36
PID 1964 wrote to memory of 1500	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	36
PID 1964 wrote to memory of 1500	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	36
PID 1600 wrote to memory of 516	1600	cmd.exe	39
PID 1600 wrote to memory of 516	1600	cmd.exe	39
PID 1600 wrote to memory of 516	1600	cmd.exe	39
PID 1600 wrote to memory of 516	1600	cmd.exe	39
PID 1500 wrote to memory of 1112	1500	cmd.exe	38
PID 1500 wrote to memory of 1112	1500	cmd.exe	38
PID 1500 wrote to memory of 1112	1500	cmd.exe	38
PID 1500 wrote to memory of 1112	1500	cmd.exe	38
PID 1964 wrote to memory of 576	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	40
PID 1964 wrote to memory of 576	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	40
PID 1964 wrote to memory of 576	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	40
PID 1964 wrote to memory of 576	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	40
PID 576 wrote to memory of 1816	576	cmd.exe	42
PID 576 wrote to memory of 1816	576	cmd.exe	42
PID 576 wrote to memory of 1816	576	cmd.exe	42
PID 576 wrote to memory of 1816	576	cmd.exe	42
PID 1964 wrote to memory of 920	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	43
PID 1964 wrote to memory of 920	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	43
PID 1964 wrote to memory of 920	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	43
PID 1964 wrote to memory of 920	1964	f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe	43
PID 1112 wrote to memory of 1000	1112	net.exe	45
PID 1112 wrote to memory of 1000	1112	net.exe	45
PID 1112 wrote to memory of 1000	1112	net.exe	45
PID 1112 wrote to memory of 1000	1112	net.exe	45
PID 516 wrote to memory of 1524	516	net.exe	44
PID 516 wrote to memory of 1524	516	net.exe	44
PID 516 wrote to memory of 1524	516	net.exe	44
PID 516 wrote to memory of 1524	516	net.exe	44

C:\Users\Admin\AppData\Local\Temp\f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe
"C:\Users\Admin\AppData\Local\Temp\f05e8c181d646d4fa8e1d5e1b26b42b6b6ab7e7753d396fb4197facb5a9708a1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows\system32 /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config sharedaccess start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\sc.exe
    sc config sharedaccess start= disabled
    3⤵
    - Launches sc.exe
    PID:1816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 216
  2⤵
  - Program crash
  PID:920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\opeA304.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
memory/1964-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download