382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa

Analysis

max time kernel
40s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
Size

187KB
MD5

09d1fcca4bfb32cead46f345c51aff50
SHA1

415c952d227d914a2ab2019c4ac7a07dccfb1afd
SHA256

382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa
SHA512

e22e59b303be9f6af4f70d87af842b1351fe1f53467f9d3fab7dd4df0d75895e6db8411da0931041584cb1b3f0f85ccfd902d0483396e0e7d255444fb5926909
SSDEEP

3072:gKJIjkwdqoESQ5OA9W589o90/qBGTV6kJetrXCjmPFZdtIddddddDBe0I7NCr45U:gwoESQ5OA858O98qkTV6uehXCGhPRCrL

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1196	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
1196	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
1196	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
1196	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
1196	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1196	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1196	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 884	1196	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe	27
PID 1196 wrote to memory of 884	1196	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe	27
PID 1196 wrote to memory of 884	1196	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe	27
PID 1196 wrote to memory of 884	1196	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe	27
PID 884 wrote to memory of 608	884	csc.exe	29
PID 884 wrote to memory of 608	884	csc.exe	29
PID 884 wrote to memory of 608	884	csc.exe	29
PID 884 wrote to memory of 608	884	csc.exe	29

C:\Users\Admin\AppData\Local\Temp\382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
"C:\Users\Admin\AppData\Local\Temp\382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-lxhjqx3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12C7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC12C6.tmp"
    3⤵
    PID:608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-lxhjqx3.dll

Filesize
4KB

MD5
b13d072be48e5a5c74f69c91ba64438f

SHA1
2ace642439e9cca5e64170a31ce3a501bfc717d2

SHA256
8eb15906669a5c35483c0db59da9f8dd297fe37f4d128eaf193e4b4791acca91

SHA512
a3953a611d045cf5757e905bb4e444bf9441fa0d0f6d65adb62712713bd95391a20ec97f23235854e63f91cd4506e78857cddbeab426abc03b0a7920b857fd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES12C7.tmp

Filesize
1KB

MD5
56ccc99c2ddf2da982bd4b885b6a1588

SHA1
2452c55fdcb308499373fcad9eab5d438b129585

SHA256
ce1b9eacf24e0a670dba2f10c01e5437e7a7550c5d8afb405237f162a2ad6424

SHA512
a8eaac2a8b52c52b8567b87464ddd5e8cb658f50a8bf7b3e7a90f9baf8cb667119afd8aa4f0abec980eb83a41f7746843a8f7144414bbf866643fbae58c53fb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-lxhjqx3.0.cs

Filesize
1KB

MD5
726a6cdc1c8c93a4187bde307bdcce62

SHA1
7be83ba9aa298ee36171b41c2696091eb9096230

SHA256
f80bab86984f7b0a86e23622bc49bd78c54acbf179e9fb4be1ee14fa0a6616d0

SHA512
0ba2ca78052eb3f0bbcb533f2a511d4d2fa459893c0e7f795d255124f079f7b7b6532631ebf72516ec6b67cce132d0b955e87f7369b5fd08c26afb4160e86cdd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-lxhjqx3.cmdline

Filesize
195B

MD5
025e2b9796a2156f3335e689417a29e6

SHA1
326d4ece86c0628d50f97b5e469cd79d4d604dd6

SHA256
bb2671ba2fa529a2fb9a94ba26e8a1cb71b73e487ab83efee9037c67639193c5

SHA512
117d11277e4d7a139a6350dba331bc7470e07eca2f8240a5fb68db2433cbde4dcca01e56ff67f98e4c6f9fbe7705288d7588b96edcd76f8dde34252f0d04f4c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC12C6.tmp

Filesize
652B

MD5
a2fb3bf953475503996f6d7ede551ee7

SHA1
d76860deed6f9964558b4740c21c962f97dcacc1

SHA256
a73c0d764470e99fa7ec24a71eb06259242d79d0ea40e84dcff232022d657378

SHA512
cbecedc94e8cafee270d3bfca53796778c1be2594ad9dab80b517c80acebfae543e371265f6535c0dceaf36280aab560081979b8880111502e69847c1c6f919f

Download Submit
\Users\Admin\AppData\Local\Temp\-lxhjqx3.dll

Filesize
4KB

MD5
b13d072be48e5a5c74f69c91ba64438f

SHA1
2ace642439e9cca5e64170a31ce3a501bfc717d2

SHA256
8eb15906669a5c35483c0db59da9f8dd297fe37f4d128eaf193e4b4791acca91

SHA512
a3953a611d045cf5757e905bb4e444bf9441fa0d0f6d65adb62712713bd95391a20ec97f23235854e63f91cd4506e78857cddbeab426abc03b0a7920b857fd3d

Download Submit
\Users\Admin\AppData\Local\Temp\-lxhjqx3.dll

Filesize
4KB

MD5
b13d072be48e5a5c74f69c91ba64438f

SHA1
2ace642439e9cca5e64170a31ce3a501bfc717d2

SHA256
8eb15906669a5c35483c0db59da9f8dd297fe37f4d128eaf193e4b4791acca91

SHA512
a3953a611d045cf5757e905bb4e444bf9441fa0d0f6d65adb62712713bd95391a20ec97f23235854e63f91cd4506e78857cddbeab426abc03b0a7920b857fd3d

Download Submit
\Users\Admin\AppData\Local\Temp\-lxhjqx3.dll

Filesize
4KB

MD5
b13d072be48e5a5c74f69c91ba64438f

SHA1
2ace642439e9cca5e64170a31ce3a501bfc717d2

SHA256
8eb15906669a5c35483c0db59da9f8dd297fe37f4d128eaf193e4b4791acca91

SHA512
a3953a611d045cf5757e905bb4e444bf9441fa0d0f6d65adb62712713bd95391a20ec97f23235854e63f91cd4506e78857cddbeab426abc03b0a7920b857fd3d

Download Submit
\Users\Admin\AppData\Local\Temp\-lxhjqx3.dll

Filesize
4KB

MD5
b13d072be48e5a5c74f69c91ba64438f

SHA1
2ace642439e9cca5e64170a31ce3a501bfc717d2

SHA256
8eb15906669a5c35483c0db59da9f8dd297fe37f4d128eaf193e4b4791acca91

SHA512
a3953a611d045cf5757e905bb4e444bf9441fa0d0f6d65adb62712713bd95391a20ec97f23235854e63f91cd4506e78857cddbeab426abc03b0a7920b857fd3d

Download Submit
\Users\Admin\AppData\Local\Temp\-lxhjqx3.dll

Filesize
4KB

MD5
b13d072be48e5a5c74f69c91ba64438f

SHA1
2ace642439e9cca5e64170a31ce3a501bfc717d2

SHA256
8eb15906669a5c35483c0db59da9f8dd297fe37f4d128eaf193e4b4791acca91

SHA512
a3953a611d045cf5757e905bb4e444bf9441fa0d0f6d65adb62712713bd95391a20ec97f23235854e63f91cd4506e78857cddbeab426abc03b0a7920b857fd3d

Download Submit
memory/1196-55-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1196-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1196-68-0x0000000000185000-0x0000000000196000-memory.dmp

Filesize
68KB

Download
memory/1196-69-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1196-70-0x0000000000185000-0x0000000000196000-memory.dmp

Filesize
68KB

Download