Overview

overview

1

Static

static

b671586adf...1c.exe

windows7-x64

1

b671586adf...1c.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    40s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2022, 14:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b671586adf34c6d0547fc988a5f1e0443b1bddbc3b0239d24e940fdd07e63f1c.exe

  • Size

    196KB

  • MD5

    220e0f073e1d21384173ebd1a4effcd7

  • SHA1

    3d69fa68f2cdcab36e4628cd27cc698147fcbc22

  • SHA256

    b671586adf34c6d0547fc988a5f1e0443b1bddbc3b0239d24e940fdd07e63f1c

  • SHA512

    2da3a527cdc44e4ced9b4177782a6fad17717449fca0c1d89af9460c5e8dc67422aa782b1d814a46bfa37241cd3d5da6e80a5f936f1dfbf11a79413f23135b4d

  • SSDEEP

    3072:LRttuKltqdWJMNKLlo0+y+Lh+1SCxCcE91BbY4vnxgLQdkXstxwckBwkRQrewcxV:V3Pex0B1SAO5WLQdkT5Gq50AxNhE/KX

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:460
        • C:\Windows\system32\sppsvc.exe
          C:\Windows\system32\sppsvc.exe
          2⤵
            PID:600
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
            2⤵
              PID:304
            • C:\Windows\system32\taskhost.exe
              "taskhost.exe"
              2⤵
                PID:1108
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                2⤵
                  PID:1064
                • C:\Windows\System32\spoolsv.exe
                  C:\Windows\System32\spoolsv.exe
                  2⤵
                    PID:340
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k NetworkService
                    2⤵
                      PID:240
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                        PID:860
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService
                        2⤵
                          PID:836
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          2⤵
                            PID:800
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                            2⤵
                              PID:740
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:664
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:584
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:416
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:380
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:368
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:484
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:332
                                        • C:\Windows\System32\smss.exe
                                          \SystemRoot\System32\smss.exe
                                          1⤵
                                            PID:260
                                          • C:\Windows\system32\wbem\wmiprvse.exe
                                            C:\Windows\system32\wbem\wmiprvse.exe
                                            1⤵
                                              PID:1988
                                            • C:\Users\Admin\AppData\Local\Temp\b671586adf34c6d0547fc988a5f1e0443b1bddbc3b0239d24e940fdd07e63f1c.exe
                                              "C:\Users\Admin\AppData\Local\Temp\b671586adf34c6d0547fc988a5f1e0443b1bddbc3b0239d24e940fdd07e63f1c.exe"
                                              1⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:2004
                                            • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                              wmiadap.exe /F /T /R
                                              1⤵
                                                PID:1916
                                              • C:\Windows\Explorer.EXE
                                                C:\Windows\Explorer.EXE
                                                1⤵
                                                  PID:1188
                                                • C:\Windows\system32\Dwm.exe
                                                  "C:\Windows\system32\Dwm.exe"
                                                  1⤵
                                                    PID:1152

                                                  Network

                                                        MITRE ATT&CK Matrix

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • memory/1188-58-0x0000000002760000-0x000000000276D000-memory.dmp

                                                          Filesize

                                                          52KB

                                                          Download

                                                        • memory/2004-54-0x00000000002D0000-0x00000000002DB000-memory.dmp

                                                          Filesize

                                                          44KB

                                                          Download

                                                        • memory/2004-55-0x00000000765A1000-0x00000000765A3000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/2004-57-0x0000000000400000-0x0000000000431000-memory.dmp

                                                          Filesize

                                                          196KB

                                                          Download

                                                        • memory/2004-56-0x00000000002C0000-0x00000000002CB000-memory.dmp

                                                          Filesize

                                                          44KB

                                                          Download