64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d

Analysis

max time kernel
136s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe
Size

293KB
MD5

51fcd683bb84673ed1af7e5df24a89f0
SHA1

072c505bb4458c133f73db34f6d3b64ed032c1db
SHA256

64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d
SHA512

590a79b1e8ff6a9094fd72f235190d8309d9891e7ad9e47d1811ff9a2eed129025af65358b0985a4d6d972ad658206c1bde166400c3e8edcca675cad2576c38a
SSDEEP

6144:HSrWvq1IqBAGgdDBH1TnJjAkJTfgjvTm+wHrethXiWVuh7acUP4:pvqyNtjtfsbm70hXR8hLX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1128	sys

Deletes itself 1 IoCs

pid	Process
1532	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sys	64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe
File created	C:\Windows\uninstal.bat	64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe
File created	C:\Windows\sys	64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe
Token: SeDebugPrivilege	1128	sys

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1128	sys

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1532	1464	64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe	28
PID 1464 wrote to memory of 1532	1464	64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe	28
PID 1464 wrote to memory of 1532	1464	64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe	28
PID 1464 wrote to memory of 1532	1464	64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe	28
PID 1464 wrote to memory of 1532	1464	64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe	28
PID 1464 wrote to memory of 1532	1464	64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe	28
PID 1464 wrote to memory of 1532	1464	64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe	28

C:\Users\Admin\AppData\Local\Temp\64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe
"C:\Users\Admin\AppData\Local\Temp\64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:1532

C:\Windows\sys
C:\Windows\sys
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sys

Filesize
293KB

MD5
51fcd683bb84673ed1af7e5df24a89f0

SHA1
072c505bb4458c133f73db34f6d3b64ed032c1db

SHA256
64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d

SHA512
590a79b1e8ff6a9094fd72f235190d8309d9891e7ad9e47d1811ff9a2eed129025af65358b0985a4d6d972ad658206c1bde166400c3e8edcca675cad2576c38a

Download Submit
C:\Windows\sys

Filesize
293KB

MD5
51fcd683bb84673ed1af7e5df24a89f0

SHA1
072c505bb4458c133f73db34f6d3b64ed032c1db

SHA256
64cefd538c7dfd6071f5d1049df7fb8f842adaad084ea7e611de352355ddff2d

SHA512
590a79b1e8ff6a9094fd72f235190d8309d9891e7ad9e47d1811ff9a2eed129025af65358b0985a4d6d972ad658206c1bde166400c3e8edcca675cad2576c38a

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
7c4357113dae5b72c7dd63736384fd6e

SHA1
95711a62851ba28bec283289a1a2be833eb5e7de

SHA256
7837df9eb7146b52f9d2110f77cf3e52b49135e5530038eda732e0da854acfdf

SHA512
71e356b61a35d801e3c7ccb5e99c9b9e23b84726da7783f7afa3f36c6b0850863daa73fdb9b07537b965770da02226b9c6d77f9723f7b9ad979849b37094e59f

Download Submit
memory/1128-62-0x0000000000400000-0x00000000005A6000-memory.dmp

Filesize
1.6MB

Download
memory/1128-63-0x0000000000240000-0x0000000000244000-memory.dmp

Filesize
16KB

Download
memory/1128-64-0x0000000000400000-0x00000000005A6000-memory.dmp

Filesize
1.6MB

Download
memory/1128-65-0x0000000000240000-0x0000000000244000-memory.dmp

Filesize
16KB

Download
memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1464-55-0x0000000000400000-0x00000000005A6000-memory.dmp

Filesize
1.6MB

Download
memory/1464-56-0x0000000000240000-0x0000000000244000-memory.dmp

Filesize
16KB

Download
memory/1532-60-0x0000000000000000-mapping.dmp

Download