Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 12:56
Behavioral task
behavioral1
Sample
WXCltAidEx.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
WXCltAidEx.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
clsmn.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
clsmn.exe
Resource
win10v2004-20220901-en
General
-
Target
WXCltAidEx.exe
-
Size
3.7MB
-
MD5
ed0ee4fc304cd842c9f6195a9c7116e4
-
SHA1
dddd35673a71deb7d2f379605b80ef02a94301cf
-
SHA256
103fb59fd4123c61cba74ce0a1bd9488f2b99bcc2eb3dbec82241753b0496701
-
SHA512
f390c6d6784e22bebbe585326af7dbe1bc3a5ce852c9a84fc3284bbfefde6f4fe199b1bd07792c3b3436822b333687ae9a675c6ce80d475dfab0b24b2e0b1a28
-
SSDEEP
98304:6P/kTUx5T1TaGjY/V9m5qoU8xbWvsvujvrZBlZ:6P/k4x5Z7m9iqoU8xblujvVZ
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1724-55-0x0000000000C30000-0x0000000001555000-memory.dmp vmprotect behavioral1/memory/1724-59-0x0000000000C30000-0x0000000001555000-memory.dmp vmprotect behavioral1/memory/1724-62-0x0000000000C30000-0x0000000001555000-memory.dmp vmprotect -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WXCltAidEx.exedescription pid process Token: SeShutdownPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe Token: SeDebugPrivilege 1724 WXCltAidEx.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WXCltAidEx.exepid process 1724 WXCltAidEx.exe 1724 WXCltAidEx.exe 1724 WXCltAidEx.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1724-54-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/1724-55-0x0000000000C30000-0x0000000001555000-memory.dmpFilesize
9.1MB
-
memory/1724-59-0x0000000000C30000-0x0000000001555000-memory.dmpFilesize
9.1MB
-
memory/1724-60-0x0000000004140000-0x0000000004B4F000-memory.dmpFilesize
10.1MB
-
memory/1724-61-0x0000000004140000-0x0000000004B4F000-memory.dmpFilesize
10.1MB
-
memory/1724-62-0x0000000000C30000-0x0000000001555000-memory.dmpFilesize
9.1MB
-
memory/1724-63-0x0000000004140000-0x0000000004B4F000-memory.dmpFilesize
10.1MB