382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
Size

187KB
MD5

09d1fcca4bfb32cead46f345c51aff50
SHA1

415c952d227d914a2ab2019c4ac7a07dccfb1afd
SHA256

382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa
SHA512

e22e59b303be9f6af4f70d87af842b1351fe1f53467f9d3fab7dd4df0d75895e6db8411da0931041584cb1b3f0f85ccfd902d0483396e0e7d255444fb5926909
SSDEEP

3072:gKJIjkwdqoESQ5OA9W589o90/qBGTV6kJetrXCjmPFZdtIddddddDBe0I7NCr45U:gwoESQ5OA858O98qkTV6uehXCGhPRCrL

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
2732	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
2732	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
2732	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
2732	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
2732	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
2732	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2732	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2732	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 3568	2732	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe	78
PID 2732 wrote to memory of 3568	2732	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe	78
PID 2732 wrote to memory of 3568	2732	382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe	78
PID 3568 wrote to memory of 2840	3568	csc.exe	80
PID 3568 wrote to memory of 2840	3568	csc.exe	80
PID 3568 wrote to memory of 2840	3568	csc.exe	80

C:\Users\Admin\AppData\Local\Temp\382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe
"C:\Users\Admin\AppData\Local\Temp\382c47bf4a08019cc79ced343e2e7e1ecee9d980d0c68c506bf53dcc39740daa.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6ukgjsvc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAA4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEAA3.tmp"
    3⤵
    PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6ukgjsvc.dll

Filesize
4KB

MD5
e2eb639083441a2aa257a2eccdb34b75

SHA1
07d3d876996d88ad3b18c94aca79db8d9cee9f28

SHA256
a988e0d260d30270b6ece6b2ec0fc99ff793fb97490a1dfd0feabe832434b227

SHA512
b2bdd48b92dff186a4018f10e4bc05baf37879281206cc90d404a3123af863e4dcdf76cc6d890a91fa6caac1d52a87f4841b74d31856e56516e03072555d4d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ukgjsvc.dll

Filesize
4KB

MD5
e2eb639083441a2aa257a2eccdb34b75

SHA1
07d3d876996d88ad3b18c94aca79db8d9cee9f28

SHA256
a988e0d260d30270b6ece6b2ec0fc99ff793fb97490a1dfd0feabe832434b227

SHA512
b2bdd48b92dff186a4018f10e4bc05baf37879281206cc90d404a3123af863e4dcdf76cc6d890a91fa6caac1d52a87f4841b74d31856e56516e03072555d4d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ukgjsvc.dll

Filesize
4KB

MD5
e2eb639083441a2aa257a2eccdb34b75

SHA1
07d3d876996d88ad3b18c94aca79db8d9cee9f28

SHA256
a988e0d260d30270b6ece6b2ec0fc99ff793fb97490a1dfd0feabe832434b227

SHA512
b2bdd48b92dff186a4018f10e4bc05baf37879281206cc90d404a3123af863e4dcdf76cc6d890a91fa6caac1d52a87f4841b74d31856e56516e03072555d4d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ukgjsvc.dll

Filesize
4KB

MD5
e2eb639083441a2aa257a2eccdb34b75

SHA1
07d3d876996d88ad3b18c94aca79db8d9cee9f28

SHA256
a988e0d260d30270b6ece6b2ec0fc99ff793fb97490a1dfd0feabe832434b227

SHA512
b2bdd48b92dff186a4018f10e4bc05baf37879281206cc90d404a3123af863e4dcdf76cc6d890a91fa6caac1d52a87f4841b74d31856e56516e03072555d4d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ukgjsvc.dll

Filesize
4KB

MD5
e2eb639083441a2aa257a2eccdb34b75

SHA1
07d3d876996d88ad3b18c94aca79db8d9cee9f28

SHA256
a988e0d260d30270b6ece6b2ec0fc99ff793fb97490a1dfd0feabe832434b227

SHA512
b2bdd48b92dff186a4018f10e4bc05baf37879281206cc90d404a3123af863e4dcdf76cc6d890a91fa6caac1d52a87f4841b74d31856e56516e03072555d4d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ukgjsvc.dll

Filesize
4KB

MD5
e2eb639083441a2aa257a2eccdb34b75

SHA1
07d3d876996d88ad3b18c94aca79db8d9cee9f28

SHA256
a988e0d260d30270b6ece6b2ec0fc99ff793fb97490a1dfd0feabe832434b227

SHA512
b2bdd48b92dff186a4018f10e4bc05baf37879281206cc90d404a3123af863e4dcdf76cc6d890a91fa6caac1d52a87f4841b74d31856e56516e03072555d4d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ukgjsvc.dll

Filesize
4KB

MD5
e2eb639083441a2aa257a2eccdb34b75

SHA1
07d3d876996d88ad3b18c94aca79db8d9cee9f28

SHA256
a988e0d260d30270b6ece6b2ec0fc99ff793fb97490a1dfd0feabe832434b227

SHA512
b2bdd48b92dff186a4018f10e4bc05baf37879281206cc90d404a3123af863e4dcdf76cc6d890a91fa6caac1d52a87f4841b74d31856e56516e03072555d4d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEAA4.tmp

Filesize
1KB

MD5
b524692343484e3099c5c5b4469eed23

SHA1
b3afb4cbf2bd5d8b172fcb10cd7f57bde5855011

SHA256
b482ddc14b4b116400a58a993a6520a186f6d6059498baafd9a96fcb5724a993

SHA512
e176c2b0aae826f76b7c4eb92af67aa6d7fafad2dc7fad4e920d77466cc94a144170802805672bfa26a5a2fe6be39baf10d58a416509857946a1cbf85dd4f74f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6ukgjsvc.0.cs

Filesize
1KB

MD5
726a6cdc1c8c93a4187bde307bdcce62

SHA1
7be83ba9aa298ee36171b41c2696091eb9096230

SHA256
f80bab86984f7b0a86e23622bc49bd78c54acbf179e9fb4be1ee14fa0a6616d0

SHA512
0ba2ca78052eb3f0bbcb533f2a511d4d2fa459893c0e7f795d255124f079f7b7b6532631ebf72516ec6b67cce132d0b955e87f7369b5fd08c26afb4160e86cdd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6ukgjsvc.cmdline

Filesize
195B

MD5
bd8c855d03f028a6ebfc7ebd65f50d38

SHA1
b427f9fab12203ea04f3c27d1ebfd8151eec9caf

SHA256
6b621b3fc8f49d8de3d569c0621f787708f74c23ed222cab71f87aca0d74f256

SHA512
7a715768a0c24a9a7c599d1d7ea077095612847dbf824bec136a641488476c81929782bdfedb510f8f6adb690e26566ae299140469785648703ba5477f0dc9c5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEAA3.tmp

Filesize
652B

MD5
ac91c211e57f1e907c71f14b0545bdd4

SHA1
0fdc2a5c439946a67b13d11cdfbe3d1fb8192b5a

SHA256
23aae0215f1bb8c4ac90729f151c8fa203120f082fea3df04fbc26a15623e2b3

SHA512
6430a850134c500bd5e316e4b23a9877d81c61fd73fd907ede694fbe1c79dbf8698189c9e8d353797d1d982c60775338694f69becb8bd87f7a1fbaa9d1924d4d

Download Submit
memory/2732-132-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/2732-133-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download