e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb

Analysis

max time kernel
150s
max time network
94s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe
Size

296KB
MD5

ba40439008eb05cc2a795aaf287ef7a5
SHA1

72309e045c4dd8d78e00e66f77185c97e435f490
SHA256

e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb
SHA512

2b3bdd88e3d1e31f698a7c8603c70926393c6b6eb0ba9afc78972fdd1d8aa428410aac021327dfcfceffb864d18bc7c5864d2084c2e9207548cffd9b991c0fda
SSDEEP

6144:jHogBfdMhCuPUOluAgmbo+WZ1RzsgcKB1ixuHeGWXczh4i8+:6QusO2V1RzsKB1ikH3WWH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1620 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

1620 svchost.exe

Drops file in Program Files directory 2 IoCs

Processes:

e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Afhi\Qkaqerngk.bmp	e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe
File created	C:\Program Files (x86)\Afhi\Qkaqerngk.bmp	e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe

Drops file in Windows directory 2 IoCs

Processes:

e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe

description	ioc	process
File created	C:\windows\xinstall2495800.dll	e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe
File opened for modification	C:\windows\xinstall2495800.dll	e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

svchost.exe

pid	process
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe

description	pid	process
Token: SeBackupPrivilege	2000	e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe
Token: SeRestorePrivilege	2000	e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe
Token: SeBackupPrivilege	2000	e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe
Token: SeRestorePrivilege	2000	e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe
Token: SeBackupPrivilege	2000	e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe
Token: SeRestorePrivilege	2000	e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe
Token: SeBackupPrivilege	2000	e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe
Token: SeRestorePrivilege	2000	e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe

C:\Users\Admin\AppData\Local\Temp\e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe
"C:\Users\Admin\AppData\Local\Temp\e9ec7c9d55adb2532bcb8eae446a29fe1ec35fe8072dcdd777c8e77f9580dbbb.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k sougou
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\windows\xinstall2495800.dll

Filesize
219KB

MD5
e128ab57deef3602690f2352fd430f7e

SHA1
0f2eafe907ab08fd7686c35797392f6750f69fe7

SHA256
e8e91fcb1e0a156ab7ae3171932439c96f0e8afa62a2ac34bfcf77a6fe6c20e2

SHA512
fe168f0d1f56ca77b9f077b34e72268a53e1f6d134012934a3e17038724ca2220eca6b4aeb3e34c997d2d8c86232fe8104ab404a991ae835827d250e62c4f4d5

Download Submit
\??\c:\Win_lj.ini

Filesize
133B

MD5
41c145039f567dc17085eeef1cdf99dd

SHA1
35b650da4dc9ccc2826aabddc57c72e4452544df

SHA256
4b5843b0bdeab21b3da8ef90864a72ecbd6bc676c61b8f73a9fd59706233a009

SHA512
4174bf9a7b8bb9667db95c300a2c520d7500858d45244d5aef341acf40a0fe9a00cc51cab3e2d3d5ce9068afbdabc6f379341038be1abe7f772a080dc7de7f1e

Download Submit
\??\c:\program files (x86)\afhi\qkaqerngk.bmp

Filesize
2.7MB

MD5
2563ab08df534d48d56f766ad6a87f3e

SHA1
b647029194d72a2219d590d0e2cedc8772e69129

SHA256
5ae65001db32fc517cc995c716b8d15fc6d067b98a937de2757f0322754c299f

SHA512
1d012bc21acc8755a76c1ce97af4b42fdac5e7ff72c114b171af42ec4e75969d8e4db951406a43e7917472c029ab8e0829cf5a29f2c7675ac50f29d17316b048

Download Submit
\Program Files (x86)\Afhi\Qkaqerngk.bmp

Filesize
2.7MB

MD5
2563ab08df534d48d56f766ad6a87f3e

SHA1
b647029194d72a2219d590d0e2cedc8772e69129

SHA256
5ae65001db32fc517cc995c716b8d15fc6d067b98a937de2757f0322754c299f

SHA512
1d012bc21acc8755a76c1ce97af4b42fdac5e7ff72c114b171af42ec4e75969d8e4db951406a43e7917472c029ab8e0829cf5a29f2c7675ac50f29d17316b048

Download Submit
memory/2000-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download