50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac

Analysis

max time kernel
37s
max time network
78s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe
Size

495KB
MD5

43d968d30264819e9bfe80882bdb3830
SHA1

61f2e03685e04e480c5831822d08f69eb5d557a9
SHA256

50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac
SHA512

45b7914ae399ccad5e93288964066ca9d289934cf100c0da303989d955df4face7e985c306b8fb6fa931b1eb5646631846bdc7c1576476b565503e5d6ac2d12d
SSDEEP

6144:1nIgK54IQzeeeL4/Q2orPIwap3vh3hA2tfUV:1IgKKM4YJgd2IfU

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe
Token: 33	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe
Token: SeIncBasePriorityPrivilege	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 432	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	28
PID 2012 wrote to memory of 432	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	28
PID 2012 wrote to memory of 432	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	28
PID 432 wrote to memory of 568	432	csc.exe	30
PID 432 wrote to memory of 568	432	csc.exe	30
PID 432 wrote to memory of 568	432	csc.exe	30
PID 2012 wrote to memory of 820	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	31
PID 2012 wrote to memory of 820	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	31
PID 2012 wrote to memory of 820	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	31
PID 820 wrote to memory of 676	820	csc.exe	33
PID 820 wrote to memory of 676	820	csc.exe	33
PID 820 wrote to memory of 676	820	csc.exe	33
PID 2012 wrote to memory of 1748	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	34
PID 2012 wrote to memory of 1748	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	34
PID 2012 wrote to memory of 1748	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	34
PID 1748 wrote to memory of 1500	1748	csc.exe	36
PID 1748 wrote to memory of 1500	1748	csc.exe	36
PID 1748 wrote to memory of 1500	1748	csc.exe	36
PID 2012 wrote to memory of 828	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	37
PID 2012 wrote to memory of 828	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	37
PID 2012 wrote to memory of 828	2012	50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe	37
PID 828 wrote to memory of 1080	828	csc.exe	39
PID 828 wrote to memory of 1080	828	csc.exe	39
PID 828 wrote to memory of 1080	828	csc.exe	39

C:\Users\Admin\AppData\Local\Temp\50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe
"C:\Users\Admin\AppData\Local\Temp\50da9ec6a3583e76e9dfc18c686dc9ee12675a13cb00a51dbc139e1a20832dac.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vc7xjmjc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE47.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEE46.tmp"
    3⤵
    PID:568
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\36jswrn-.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2168.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2167.tmp"
    3⤵
    PID:676
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kewtcrhp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28A8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC28A7.tmp"
    3⤵
    PID:1500
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gbqp-0_m.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29C1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC29C0.tmp"
    3⤵
    PID:1080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\36jswrn-.dll

Filesize
9KB

MD5
da179a7410aa167563f43f4d40ad714c

SHA1
a3d1c5a78429a9667ad9a66ebc1dd09da167e374

SHA256
9fb34bcb8e1faac4e28201b14388e94f1d3c81dca7a348bf05299d3589641068

SHA512
2129850c1e1f2bb3b34beed3bbe21154d02a2130c37b202aff5ba588243f74d26600ad897d47ec5c14f81861d5772ea44cde547c74c4e1f3a6d017bfa10c4c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2168.tmp

Filesize
1KB

MD5
d46f41774d62b11c72b0fcbbb131426d

SHA1
597318dc1a383e74f33e349828146a0d334d3836

SHA256
f525f4dfd7d96278d57331e87869adcc5495b16fcc7bb1c240171dde62dce0eb

SHA512
1068b25771cf6350d9f164e0ebb4414adedd53450155955754709f89b10ccfe91ad2b6aeec343656e0a95e7f559f9b4c60287587da93d050ca2d318c29a38f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES28A8.tmp

Filesize
1KB

MD5
02173024325ae3dd807524e5bd204ee1

SHA1
cc2ac786b9c13f6bb0c4017bd2a84433bc038442

SHA256
1bf01b340921f38da4df7659234783c5f00b039b9a858598439ee8e4938e6e83

SHA512
c930e0d38c79075ee2015ede2c35f3c67f1eb53aa5896e8677684c4ab43ce7161a6247722b5ca6398434680831150d63103ffee82193c17ffcd572a98319117c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES29C1.tmp

Filesize
1KB

MD5
e388beda20b56ecba55a1f7c990f7faa

SHA1
439805bef425e6209fff514c9a4c79ef59d42f1a

SHA256
153acc445f302322570ce2437df471a92c0768e0f80ee428e579a3d1eb5d4705

SHA512
1233127b66fe29ddbe6bb4fbe97b144c4666c395ea893e63271363f490d241c8dbfb092e7d3dae753f77eafdc462357d8bfb6484d94c681c388475dce6ab2449

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEE47.tmp

Filesize
1KB

MD5
283c388c30271ac2cc5d3442e427d746

SHA1
50afa9c5d450c27828b6a2ae739b6dfe7beabdb0

SHA256
f0b8c48de52cb7814dffbeb135a21074238f900174d85708ab2993036005ed30

SHA512
3cd9171bb34d14bbd0ca2ec42be08a90ef08e814b47abd8f07b4b56a911183f0bd10a76e5587ea1aaaabd54d31be151a0910bc5f7cf6e4b6cd5dea5490adb6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbqp-0_m.dll

Filesize
9KB

MD5
50d4c1ce9ef60654b2c3ee88c67b5496

SHA1
5051d49bf2dd1c2f1f64ef08c462a66994eaba47

SHA256
fbe21d8145a40e176ae5fb8588493f47af595102974863e9df4bbca48586a8ae

SHA512
7ea2d7d7fc32988543e788f6c8fba6c6d06401221e2e51829a45b19fad5965bb6e06433008cce2bc9885cf923a2ca437c4ecde609af50de1d1b505e77684f67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kewtcrhp.dll

Filesize
8KB

MD5
aaea9ae3f38d7bc235f0f472c9be6488

SHA1
25ea99e15ef56990c911d90cfe0f2a74efe2086a

SHA256
e9b951f47ca867e031e285b1f826b182f21df8b81604e51fc1c74d88e04291e7

SHA512
043882db667cd62c05bf261e9787274fa874c59c2ebbee1593a5c3e2daa8d6559bfcf04cde9d2dc0ef7cabd337a52f9ddbad240f8453832741578c6b29275b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\vc7xjmjc.dll

Filesize
8KB

MD5
2fac2ff8263f216b1d679a555e6d84f3

SHA1
7be1fee5d48382696950e29d0066d40bed5a9d73

SHA256
8b3cb6225b03234636e9da6c687a5f264c8855791065b285260cb21bcd578292

SHA512
4cb10c63e995c25e5a78e67e09005d18abb8cf0f3e7ffb77665c4acffb18cc17722636e9d2b6caf0aa130c4da1fd7bfdad0314c94f877a2333334cda49eee666

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\36jswrn-.0.cs

Filesize
11KB

MD5
c0fba29ec46878d261eb0dd505b8c60e

SHA1
8748352169d19bc5be2c949faa1d44badc3bde0b

SHA256
fdb1a1f67d6bee13bf41ab4afb30fd193c7a1f5d8da093bf545b065f632b6136

SHA512
1d658cd2cec215458d31eced225eb38665eb7cba1f95659339711ac9cda5fddbc38006d324c9c64a53bfd08aa77f54f2341ade6907534949ec87d91507bc7990

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\36jswrn-.cmdline

Filesize
639B

MD5
e825b1362db6229908ad27b246597bd6

SHA1
12079417527877a674531f17801efc975427fb89

SHA256
3611744e2645dcc36349e38088ebe299135133bf18cf73bc0e270f709bc21be0

SHA512
e7fbcbffbe5a72022ad6a5d5090ecff4b36411807a15ddddd31650f21f857db22975a054486062a49d27766505b26d03440d39b3cdcba1d2b0596508e3aaf861

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2167.tmp

Filesize
652B

MD5
6aa0800e4c894fbaf8d729ef484140a7

SHA1
7538978665aaf3537fbb069337ea2ac994095245

SHA256
c3d54a2ce275ee92ebf1e5f5d599066e8287733eea9d46d6a96941a5f68b9e3d

SHA512
94f395ddd52a9891df4fff4bc26be47759d84ea2f405e62be085d004c59955783547adf8912ea1c12fac8a876f5d0d2b9c0311fbc9276c4fd90191817a17475b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC28A7.tmp

Filesize
652B

MD5
5fd9f9bbd19c6aa5008570a08aeba42e

SHA1
3ada095c1817ec58a689397eaf07dc3b8ca8f3aa

SHA256
e3b90cb1f4d9dad6c11d02f956d19dc0bde551f800311c5d31cf71a399c4d78b

SHA512
d16710bde20e9bab8bb146e62a9a77818f7705fec094870733502d7bddb84fa2429cedac2a55bc32f33c2f9b981577f9a0a8e93d7ba007c9094b6669c9d61391

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC29C0.tmp

Filesize
652B

MD5
9fa275b71a72300fdb5fd861908f92ca

SHA1
dc6094b064c9f1f11482bac91c839be25a984d0c

SHA256
41cb67836ee04822d6f4590ad4df3c16b076d7ccf165c9aa4b4d22c070112a34

SHA512
335a0fd285f0204c2545951e10b04988afdead03ff6d6312699494149ff7a8cec0606a5e3cad88a178dbb1e9c2d4fee44aaa7ac56b30ff8cd1bd6d54a07f7316

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEE46.tmp

Filesize
652B

MD5
7d5ff951e35f122f154dbcdea034c17e

SHA1
9f5162189fd7f9a131038e6bd28f4be80ab70661

SHA256
46547e2a4846617780796670baa39aacbe0c15d8bcc87bed9ac379542b2593a4

SHA512
ed241c4a231a5955148e1eef0aec4134ff1998c8756015344582f9834ded78766068ddc8de33030984de61aeced1c19808ce09291e4daa1629435a758324f3a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gbqp-0_m.0.cs

Filesize
11KB

MD5
01557036f71797ea9211a6fe220983bb

SHA1
cbc1b20c412430386e7136fd300e9db706a87dbe

SHA256
3c518308472486fb52261f1db84798a6da21ca7f36548edb765a1b57caa2f9d4

SHA512
08ddaf527bcfae3a20e8a29f2ed93f0c2ee064dcafe9b8106c04c37138f0fc774788805ac442158b4549445b4ac5ad62220494d031cf394e6fbd4999ee4844e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gbqp-0_m.cmdline

Filesize
639B

MD5
4205e2e1fb4f86dfbeaaa6e278419342

SHA1
d0c99090dc13a7f7c007593621a7b71068489596

SHA256
31a5ba42393cef48436e7c4a881b9ae763d2dd5b56dca519b5fa3e263dcfde7a

SHA512
70e74fb4e125274d4409d29674703bdaa0565dedcf9441bf59770b59edb0465bcbbb65e7e293ad14068d1e27f250cab34634a6fc9ddf3b336dbdd6457df443d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kewtcrhp.0.cs

Filesize
10KB

MD5
59f6855fec58f2a8599bf67cc9d6f448

SHA1
c2a6d51821eada0271292ee573a1ef4f4ecd0f60

SHA256
080748eb170ec620abf6b6e2b69bc5bc904d132044bce002a2bc1a9b08e23bc2

SHA512
daaf2fedc7923a3d930ffdd76ea10be8c04279a157dbcabb7c7fc26e416f7f0f79e844889315fb5eb536aa80f526d7b895d8862058936dc67fce343996edf2c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kewtcrhp.cmdline

Filesize
639B

MD5
26f2c2b5f700100f9e95e9c3f42280fa

SHA1
1316cecba1237eedfd61893a8439dbc4bb3055e8

SHA256
2ccbb0b9a5d103bc224a8f333dabd1ba41e6a4343ffb1bd8d593e2ff27874631

SHA512
29ee42f2cbe813a00dcc0e04a4af78d991526b16bdc33144537e370969297c28c636b34a9cf2739ca0f9ea30f05deefbed211fed74b85424a1e79bbcb49664fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vc7xjmjc.0.cs

Filesize
10KB

MD5
9fbaa2dcc7b87e018e2b4b2deeaa1308

SHA1
9675bf37be0b5da406f9e210ab6d8780b8fb7577

SHA256
9ea1a2b588c629db021452f736dfdbb4599a37edb41dd4e49ed1f002a8c43f14

SHA512
23eecb3c441dab7059111471d3f4829456844c5c3c689cb9dfd004f57007495cff375da01df3fc31ff5958d3fcfc63d193ea356293a21c5468bdeac765bcfaf1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vc7xjmjc.cmdline

Filesize
639B

MD5
40053237916feaab0a60dc57b245169c

SHA1
fc5d97071dfee8136d7f7527e7168f0b220ecd67

SHA256
00afd4832d761f855769b5cdd9943c0de7be140b62e43fb36ab5bfb5c3377881

SHA512
1fb270421f4f0534d0b5d777415aa5688f22c4fb436a4da0d505b36b38057880250bf7aecf4949040a9d6aa1c22d726f403f712822b4fedbc88cd024fa92db66

Download Submit
memory/2012-62-0x0000000001F88000-0x0000000001FA7000-memory.dmp

Filesize
124KB

Download
memory/2012-61-0x0000000001FB0000-0x0000000001FB9000-memory.dmp

Filesize
36KB

Download
memory/2012-54-0x000007FEF3DA0000-0x000007FEF47C3000-memory.dmp

Filesize
10.1MB

Download
memory/2012-60-0x0000000001FA9000-0x0000000001FAD000-memory.dmp

Filesize
16KB

Download
memory/2012-56-0x0000000001F88000-0x0000000001FA7000-memory.dmp

Filesize
124KB

Download
memory/2012-55-0x000007FEF2D00000-0x000007FEF3D96000-memory.dmp

Filesize
16.6MB

Download
memory/2012-89-0x0000000001FA9000-0x0000000001FAD000-memory.dmp

Filesize
16KB

Download
memory/2012-88-0x0000000001F88000-0x0000000001FA7000-memory.dmp

Filesize
124KB

Download
memory/2012-90-0x0000000001FB0000-0x0000000001FB9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads