2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c

Analysis

max time kernel
48s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 16:51 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
Size

59KB
MD5

0e8c14f99b6e21d1241227773067fc77
SHA1

e296463d825bd8f124bb9a5830bb91a946b8e91f
SHA256

2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c
SHA512

f2c0785115565a4936755a39452d45d28a7786c0c4a26567e99512e7e03066798bba1d820ea285a6faae542b32e5bcf9de497d8944eb01f3e474795a7af49c5f
SSDEEP

768:gmK9BSp2B82r4IabOOeEM8HhaE3107giP23yElhrp5jDuIdGBUgmUz7jjAfyD9Gy:O22B82rnqeET2zWPp03zzAf4Gbv

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\wuaucldt.exe	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe

Suspicious behavior: MapViewOfSection 20 IoCs

pid	Process
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 372	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	5
PID 1140 wrote to memory of 372	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	5
PID 1140 wrote to memory of 372	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	5
PID 1140 wrote to memory of 372	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	5
PID 1140 wrote to memory of 372	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	5
PID 1140 wrote to memory of 372	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	5
PID 1140 wrote to memory of 372	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	5
PID 1140 wrote to memory of 380	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	4
PID 1140 wrote to memory of 380	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	4
PID 1140 wrote to memory of 380	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	4
PID 1140 wrote to memory of 380	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	4
PID 1140 wrote to memory of 380	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	4
PID 1140 wrote to memory of 380	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	4
PID 1140 wrote to memory of 380	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	4
PID 1140 wrote to memory of 420	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	3
PID 1140 wrote to memory of 420	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	3
PID 1140 wrote to memory of 420	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	3
PID 1140 wrote to memory of 420	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	3
PID 1140 wrote to memory of 420	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	3
PID 1140 wrote to memory of 420	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	3
PID 1140 wrote to memory of 420	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	3
PID 1140 wrote to memory of 464	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	2
PID 1140 wrote to memory of 464	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	2
PID 1140 wrote to memory of 464	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	2
PID 1140 wrote to memory of 464	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	2
PID 1140 wrote to memory of 464	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	2
PID 1140 wrote to memory of 464	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	2
PID 1140 wrote to memory of 464	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	2
PID 1140 wrote to memory of 480	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	1
PID 1140 wrote to memory of 480	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	1
PID 1140 wrote to memory of 480	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	1
PID 1140 wrote to memory of 480	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	1
PID 1140 wrote to memory of 480	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	1
PID 1140 wrote to memory of 480	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	1
PID 1140 wrote to memory of 480	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	1
PID 1140 wrote to memory of 488	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	8
PID 1140 wrote to memory of 488	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	8
PID 1140 wrote to memory of 488	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	8
PID 1140 wrote to memory of 488	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	8
PID 1140 wrote to memory of 488	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	8
PID 1140 wrote to memory of 488	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	8
PID 1140 wrote to memory of 488	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	8
PID 1140 wrote to memory of 588	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	11
PID 1140 wrote to memory of 588	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	11
PID 1140 wrote to memory of 588	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	11
PID 1140 wrote to memory of 588	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	11
PID 1140 wrote to memory of 588	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	11
PID 1140 wrote to memory of 588	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	11
PID 1140 wrote to memory of 588	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	11
PID 1140 wrote to memory of 664	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	9
PID 1140 wrote to memory of 664	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	9
PID 1140 wrote to memory of 664	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	9
PID 1140 wrote to memory of 664	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	9
PID 1140 wrote to memory of 664	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	9
PID 1140 wrote to memory of 664	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	9
PID 1140 wrote to memory of 664	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	9
PID 1140 wrote to memory of 752	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	10
PID 1140 wrote to memory of 752	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	10
PID 1140 wrote to memory of 752	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	10
PID 1140 wrote to memory of 752	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	10
PID 1140 wrote to memory of 752	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	10
PID 1140 wrote to memory of 752	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	10
PID 1140 wrote to memory of 752	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	10
PID 1140 wrote to memory of 800	1140	2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe	12

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:752
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:800
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1184
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:844
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:868
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:300
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:864
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1044
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1124
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1748
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:308

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe
  "C:\Users\Admin\AppData\Local\Temp\2430c727416412812c20ff5b64bc8c7186c34d1a7dc3eec060ee8084ab1c718c.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1140-55-0x0000000009000000-0x0000000009009000-memory.dmp

Filesize
36KB

Download
memory/1140-56-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1140-57-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download