0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320

Analysis

max time kernel
95s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe
Size

131KB
MD5

a03f7d37e4524b66c8f45c8e5c01252d
SHA1

7eb8d8cb16d85f4e24603c8f9468b6524e805031
SHA256

0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320
SHA512

db86143d5729dcc1490e6892c7d1bf608b11442994605517c6b23e55e82bf46501ded6b13a167fdb79fddc3236e6cd78261381de65b78d61e16116e9f32980e9
SSDEEP

1536:5WYcgrsVESLWUpx4r8l9bOD8yM1/YyjlI7Oy4aBsV5JB1vsiyXCKH0OA8F:gg5GFV9oM1/Yy5zy4msjJrkiyXCKH2

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe
File opened for modification	C:\Windows\assembly	0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe
File created	C:\Windows\assembly\Desktop.ini	0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2360	1200	0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe	79
PID 1200 wrote to memory of 2360	1200	0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe	79
PID 1200 wrote to memory of 2360	1200	0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe	79
PID 2360 wrote to memory of 1656	2360	csc.exe	81
PID 2360 wrote to memory of 1656	2360	csc.exe	81
PID 2360 wrote to memory of 1656	2360	csc.exe	81
PID 1200 wrote to memory of 4944	1200	0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe	82
PID 1200 wrote to memory of 4944	1200	0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe	82
PID 1200 wrote to memory of 4944	1200	0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe	82
PID 4944 wrote to memory of 1880	4944	csc.exe	84
PID 4944 wrote to memory of 1880	4944	csc.exe	84
PID 4944 wrote to memory of 1880	4944	csc.exe	84

C:\Users\Admin\AppData\Local\Temp\0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe
"C:\Users\Admin\AppData\Local\Temp\0de650ffe2b9496e4e392dc7269a06d627dd333679ada1c4adf718210986d320.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rfiue9aa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BF5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1BF4.tmp"
    3⤵
    PID:1656
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kxpix0wu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F12.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1F11.tmp"
    3⤵
    PID:1880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1BF5.tmp

Filesize
1KB

MD5
3569d2a22b7f7c05608b4d0f7026c09e

SHA1
1d8bd974e23e93d56bf75a6d808ac186a44ea4da

SHA256
70108f8cc1dc01c76933e9985621b84440a3b20ed3fa75ed3bf39df04c7041ff

SHA512
c26270059e3bfb0d30ca789e2a4ee46b53880ee69146870f3c76fecde0285aa14acf267416031a8cb8c9c390463c8eb90e58d0ea0c1943250485964fa2bebe8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F12.tmp

Filesize
1KB

MD5
a46a68de0532ff2b0d12679881030f3e

SHA1
3097af0a690e2268e135978f1de6d88c209321f8

SHA256
dddbfa9f4cc3dab54ff25efc3a33fcc2398eb0b264ba3c79d668610a6a0159f3

SHA512
2d918c23a259bab4dbdb4fd9db9a2dd2026154165476b083e3bf81e86c2eee9dd2224ea7b8913e38efd7e826be4f85813866420e9601436a12766d6e42a9e73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxpix0wu.dll

Filesize
9KB

MD5
a710eeb17fdabab09cfd46c1d4679d05

SHA1
15190d20669d6f9640024066134a94cf589b11d3

SHA256
5eaeb81a9906b663f6abb86926c61e653128fca669b59187851855792f34f5dd

SHA512
718da2ba1cc655882717c8377b2a9d16a95c33ec1774977063cdf335f83be0d31cd7e729cd94a4027e5d4568fb7ff0e6fc7654a680c7b4873ef8452131b45b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfiue9aa.dll

Filesize
8KB

MD5
0ea2850264ce98f2b3f1112c49aaa40c

SHA1
db32cb106f4745e7093c90116ea648bda1778875

SHA256
b705907759aaddbdf04fb79b6ffc7cd0e4d02641988184d42662db460c44fe70

SHA512
0a426dd23998fba750d25b9f452f043f4bee8853e66988c6acd312a250ab1afa13220f7817a2d2cd3180866d9b2c2d43914f5bd05258ae665784f23f710d2bbb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1BF4.tmp

Filesize
652B

MD5
47bd5b68b8d253d6d9b3ddc27cace29f

SHA1
9d92e46184dac65bd24081d17ed9391b5a310a52

SHA256
df38c8c07a3f4c48630e68639f028158516b55f5ab1460f78d9c41e4c680750d

SHA512
6d91b5043fd21b3e35294a77fbaf8d6e1f16026596717b7b1375ea665b382b7d047a066f95687bc10233cc1d9aa7adebd89a8b44185e1e20699eac0932078eb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1F11.tmp

Filesize
652B

MD5
7ae1b5608de92359defd1cacba364a78

SHA1
a723dbe17179e09428c6bccfeea2905b8fff4b31

SHA256
2c6d62a6069406fec83f62db7fe40b297d4a06eff8780b611c1c6589fa5f0868

SHA512
1e3d766b0f54a4e8424e2e82af01374b6dbdec9828576b416aa95b015315f11dbc85ef8aca59968f027dd483c0af009e1a144128821436655588299aa6abf2a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kxpix0wu.0.cs

Filesize
11KB

MD5
13a28512a6c506d7d6cbe8a1cdd6aec5

SHA1
977b1d51a455feb73a3dcf89760b6a4c365fba4a

SHA256
3c11a8e8e93df7c52c8b78ea99bb8a289832cb6bbc14a0e2c3db989c59bcb1f8

SHA512
71408ec6b92a93c116cdeb58907ccf462545bd2c946464bb488908366747fca672371a9bf6b072ecf83aa344679f1bca2c3debc7dcba33b6bc3ee62f76e0f5e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kxpix0wu.cmdline

Filesize
637B

MD5
f978be9bca37b28a4a7d0e87037d1129

SHA1
347c930747471de98d1f95f050320234546b2245

SHA256
5e8d7714f81a8a13fada565859abda507ec8bc8f858ba08ebd3940b51c941e71

SHA512
1eed217ef6a19a6c7e2b6db1f6b2f0ce5d138ef4edcbe7dd24b18483eb47216541b362dbd2b7b9f74ae002b3e76d42786bda346647dab943e6fbe00097049c37

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rfiue9aa.0.cs

Filesize
10KB

MD5
fc5708080530a8686bc2662214c74343

SHA1
f2a822645b861812096864bc86d88b56d348cf40

SHA256
f0ae86e26d097ee3ac9cd0ac8734d1b18a294ddb64da8e8835d79d85eaccbd3d

SHA512
ad4e42058159c0219bd37e054299f275a40d60b358bcfaed13275f83f702edb64d7bf5f0479b857b67c8da12d49d9e7f1acd85ef12db90dd554b468cb72e1561

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rfiue9aa.cmdline

Filesize
637B

MD5
52e588efcaef0b2fa49f40709816f1a0

SHA1
dfa14b20e6eee08c0977ca998369a80cea91bca0

SHA256
34968fc922790520ef45d1045cd84ec8bb7a1016aea513c158cb8d02d03d8bee

SHA512
8cab7ddacb1d7386b790ce6e9cd1a7538509c77b6245ca32fe69353e0a9d31b8958bba455fa016caa075b9693876275123632d4bb6afeb62c33e82bc74ed0401

Download Submit
memory/1200-147-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1200-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1656-136-0x0000000000000000-mapping.dmp

Download
memory/1880-143-0x0000000000000000-mapping.dmp

Download
memory/2360-133-0x0000000000000000-mapping.dmp

Download
memory/4944-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads