604e007cf70c55928c9d4359bd5937ccc132fe13e64f48abcb5c53ee1aae0679

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:04

Target

604e007cf70c55928c9d4359bd5937ccc132fe13e64f48abcb5c53ee1aae0679.exe
Size

415KB
MD5

d0064452d99dc4be7c6f29fca0ddfc15
SHA1

8139ed56cda08321bb3a0e40c77ebb8907bb759c
SHA256

604e007cf70c55928c9d4359bd5937ccc132fe13e64f48abcb5c53ee1aae0679
SHA512

7e047df19f581f5186dd03ee97fc73e2fad8224b1b1a2b445159740fcf2bb21752872b5e967bd28f135eac95aac3be782e8e20d01905e05c9e4b5107193e9c6c
SSDEEP

3072:stESTOYLiCywpqFBN6nVQ3/VYtfZFT9AxcY8:K9OYLiCyukMKVYtfZJmU

Score

8^/10

Executes dropped EXE 2 IoCs

Processes:

hjrs2e.exehjrs2e.exe

pid process

3136 hjrs2e.exe
804 hjrs2e.exe

pid	process
3136	hjrs2e.exe
804	hjrs2e.exe

Drops startup file 1 IoCs

Processes:

604e007cf70c55928c9d4359bd5937ccc132fe13e64f48abcb5c53ee1aae0679.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nx2n.vbs	604e007cf70c55928c9d4359bd5937ccc132fe13e64f48abcb5c53ee1aae0679.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hjrs2e.exe

description pid process target process

PID 3136 set thread context of 804 3136 hjrs2e.exe hjrs2e.exe

description	pid	process	target process
PID 3136 set thread context of 804	3136	hjrs2e.exe	hjrs2e.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

hjrs2e.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

hjrs2e.exe

pid process

3136 hjrs2e.exe
3136 hjrs2e.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hjrs2e.exe

description pid process

Token: SeDebugPrivilege 804 hjrs2e.exe
Token: SeShutdownPrivilege 804 hjrs2e.exe

pid	process
3136	hjrs2e.exe
3136	hjrs2e.exe

description	pid	process
Token: SeDebugPrivilege	804	hjrs2e.exe
Token: SeShutdownPrivilege	804	hjrs2e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

604e007cf70c55928c9d4359bd5937ccc132fe13e64f48abcb5c53ee1aae0679.exehjrs2e.exe

description	pid	process	target process
PID 2648 wrote to memory of 3136	2648	604e007cf70c55928c9d4359bd5937ccc132fe13e64f48abcb5c53ee1aae0679.exe	hjrs2e.exe
PID 2648 wrote to memory of 3136	2648	604e007cf70c55928c9d4359bd5937ccc132fe13e64f48abcb5c53ee1aae0679.exe	hjrs2e.exe
PID 2648 wrote to memory of 3136	2648	604e007cf70c55928c9d4359bd5937ccc132fe13e64f48abcb5c53ee1aae0679.exe	hjrs2e.exe
PID 3136 wrote to memory of 804	3136	hjrs2e.exe	hjrs2e.exe
PID 3136 wrote to memory of 804	3136	hjrs2e.exe	hjrs2e.exe
PID 3136 wrote to memory of 804	3136	hjrs2e.exe	hjrs2e.exe

C:\Users\Admin\AppData\Roaming\sg2r\hjrs2e.exe

Filesize
415KB

MD5
d0064452d99dc4be7c6f29fca0ddfc15

SHA1
8139ed56cda08321bb3a0e40c77ebb8907bb759c

SHA256
604e007cf70c55928c9d4359bd5937ccc132fe13e64f48abcb5c53ee1aae0679

SHA512
7e047df19f581f5186dd03ee97fc73e2fad8224b1b1a2b445159740fcf2bb21752872b5e967bd28f135eac95aac3be782e8e20d01905e05c9e4b5107193e9c6c

Download Submit
C:\Users\Admin\AppData\Roaming\sg2r\hjrs2e.exe

Filesize
415KB

MD5
d0064452d99dc4be7c6f29fca0ddfc15

SHA1
8139ed56cda08321bb3a0e40c77ebb8907bb759c

SHA256
604e007cf70c55928c9d4359bd5937ccc132fe13e64f48abcb5c53ee1aae0679

SHA512
7e047df19f581f5186dd03ee97fc73e2fad8224b1b1a2b445159740fcf2bb21752872b5e967bd28f135eac95aac3be782e8e20d01905e05c9e4b5107193e9c6c

Download Submit
C:\Users\Admin\AppData\Roaming\sg2r\hjrs2e.exe

Filesize
415KB

MD5
d0064452d99dc4be7c6f29fca0ddfc15

SHA1
8139ed56cda08321bb3a0e40c77ebb8907bb759c

SHA256
604e007cf70c55928c9d4359bd5937ccc132fe13e64f48abcb5c53ee1aae0679

SHA512
7e047df19f581f5186dd03ee97fc73e2fad8224b1b1a2b445159740fcf2bb21752872b5e967bd28f135eac95aac3be782e8e20d01905e05c9e4b5107193e9c6c

Download Submit
memory/804-135-0x0000000000000000-mapping.dmp

Download
memory/804-137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3136-132-0x0000000000000000-mapping.dmp

Download