60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf

Analysis

max time kernel
45s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 15:50

Target

60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe
Size

485KB
MD5

0ee6d60f5b2472fd775f0c7ed782ccfc
SHA1

35b668a98560cbe6a0656f99e4623e8c992f836d
SHA256

60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf
SHA512

fd8f1b78601afb43b32a664604acd961102069511f2954a4f010cd6474b90725fb014998c2925b028e53ece159b230b367978c9b20032b04d72c3593036bd7f8
SSDEEP

12288:QFTPB2gQw1TmUfK67NR5LYyz34qz6IeDPAB8xM:gQwdmUfKSNR5kyboIYPAB8

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
852	exploret.exe

Deletes itself 1 IoCs

pid	Process
780	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 1824	852	exploret.exe	28

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\exploret.exe	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe
File opened for modification	C:\Windows\exploret.exe	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe
File created	C:\Windows\uninstal.Bat	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe
Token: SeDebugPrivilege	852	exploret.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1824	852	exploret.exe	28
PID 852 wrote to memory of 1824	852	exploret.exe	28
PID 852 wrote to memory of 1824	852	exploret.exe	28
PID 852 wrote to memory of 1824	852	exploret.exe	28
PID 852 wrote to memory of 1824	852	exploret.exe	28
PID 852 wrote to memory of 1824	852	exploret.exe	28
PID 1600 wrote to memory of 780	1600	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe	29
PID 1600 wrote to memory of 780	1600	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe	29
PID 1600 wrote to memory of 780	1600	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe	29
PID 1600 wrote to memory of 780	1600	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe	29
PID 1600 wrote to memory of 780	1600	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe	29
PID 1600 wrote to memory of 780	1600	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe	29
PID 1600 wrote to memory of 780	1600	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe	29

C:\Users\Admin\AppData\Local\Temp\60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe
"C:\Users\Admin\AppData\Local\Temp\60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.Bat
  2⤵
  - Deletes itself
  PID:780

C:\Windows\exploret.exe
C:\Windows\exploret.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852
- C:\WINDOWS\SysWOW64\SvcHost.eXe
  C:\WINDOWS\system32\SvcHost.eXe
  2⤵
  PID:1824

C:\Windows\exploret.exe

Filesize
485KB

MD5
0ee6d60f5b2472fd775f0c7ed782ccfc

SHA1
35b668a98560cbe6a0656f99e4623e8c992f836d

SHA256
60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf

SHA512
fd8f1b78601afb43b32a664604acd961102069511f2954a4f010cd6474b90725fb014998c2925b028e53ece159b230b367978c9b20032b04d72c3593036bd7f8

Download Submit
C:\Windows\exploret.exe

Filesize
485KB

MD5
0ee6d60f5b2472fd775f0c7ed782ccfc

SHA1
35b668a98560cbe6a0656f99e4623e8c992f836d

SHA256
60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf

SHA512
fd8f1b78601afb43b32a664604acd961102069511f2954a4f010cd6474b90725fb014998c2925b028e53ece159b230b367978c9b20032b04d72c3593036bd7f8

Download Submit
C:\Windows\uninstal.Bat

Filesize
254B

MD5
414af7057be7c23c9a61314315706f76

SHA1
d635edc7e8e2c2da77d2bf50e0973346f45941fa

SHA256
a715c8fd8c888be733f8b2215d6be810d3fa9dee8a4d52daece7b706cc3cfb2d

SHA512
0831f5f91681f50924694d1e1310cdb5c6e5828406322ac8f5695827183e6211f93e20d0ef743c89554d58c3c07900885fd2a494f08c9df09313e85b2a6073ce

Download Submit
memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1824-58-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1824-60-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download