0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9

Analysis

max time kernel
40s
max time network
65s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe
Size

172KB
MD5

1861263d3c9cbbda0a963a86601a3df0
SHA1

19932aa314e59267d85a8c2b963fb1cd6f5313c8
SHA256

0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9
SHA512

01f83def90a94c6abd62e44d1314bdbcb9f0c7021e8ad9c316ae393c678a653b832d6825269a1631b1aad67a2ef192d1986f1546de79db1f0a61aab6cd4dfab0
SSDEEP

1536:d/Ph1p1xDIjx1c+LYLCXsxeAS1RP6u7LGto69F4ZBbuLHhaFo2DHhOEgxSYRoYTN:dHL2jx5LYCCF4ZBbuL2o2dKxFVFSU

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe
Token: 33	1452	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe
Token: SeIncBasePriorityPrivilege	1452	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1484	1452	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe	28
PID 1452 wrote to memory of 1484	1452	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe	28
PID 1452 wrote to memory of 1484	1452	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe	28
PID 1484 wrote to memory of 564	1484	csc.exe	30
PID 1484 wrote to memory of 564	1484	csc.exe	30
PID 1484 wrote to memory of 564	1484	csc.exe	30
PID 1452 wrote to memory of 576	1452	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe	31
PID 1452 wrote to memory of 576	1452	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe	31
PID 1452 wrote to memory of 576	1452	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe	31
PID 576 wrote to memory of 1548	576	csc.exe	33
PID 576 wrote to memory of 1548	576	csc.exe	33
PID 576 wrote to memory of 1548	576	csc.exe	33

C:\Users\Admin\AppData\Local\Temp\0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe
"C:\Users\Admin\AppData\Local\Temp\0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\winy_mqs.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8519.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8518.tmp"
    3⤵
    PID:564
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qe0pwj1n.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB87.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB86.tmp"
    3⤵
    PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8519.tmp

Filesize
1KB

MD5
0192dd610a05ed8eef124ab8e19fa0fd

SHA1
b8303557edb120d499b5c0f4a8f70af630a80137

SHA256
4c945111299b0251a178fbc09c8dc1137d0285ab66590f2a3631684a44a3967e

SHA512
b9b690b0d0049802896a0be80d332aa1291dd7471f072face40e1baf23bca900a77d88e5a37d5d4c92f1155241b3784e4c5a126b7a8b88116ccca2f123de6954

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB87.tmp

Filesize
1KB

MD5
51e6dcbe08867d0e0782afd5d4f2d570

SHA1
dae06cb0ebc145960f9ae193f689562f42261b17

SHA256
546e471e5f3dc458d196b1763afcff73eeac9d26f4c884043b1daf2bbd521a4a

SHA512
e10bb7271fa15cb16223dccde8ce851785fb0fb11b067edeb96ddcdb7650d87af931c27845f47c69e272e51d6afef86ecd3e82e8c0e641f3e048296f1cc13080

Download Submit
C:\Users\Admin\AppData\Local\Temp\qe0pwj1n.dll

Filesize
9KB

MD5
178498a100c259959fb320f219697180

SHA1
0f76ad758f903c99f90a9cc04d27c92a9a9036b5

SHA256
aab9ec38aac2141d9b437e5df93d9b15760c5893afa8ea5a5f9d2c53b1c2b5f9

SHA512
76661289bc604623870ce1b2194f1cf80e6b335c4532d3a347ff05d5fec04bc536bd34284a94b05f897ea4ab368acf4ddd5fcb0d288ca238bdf3ac54a9bbcff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winy_mqs.dll

Filesize
8KB

MD5
a78c0a03d1e8d8acbb42af5fb93872b1

SHA1
a3afd71a6130b014aad37ca3c4fadc663814c045

SHA256
f8847264b11559c6c8ddc7413378fde12a0e0c468e2005a94b978202c6c51128

SHA512
3f1b485752b455adf7f3c7ed74c72bad96ec0a70a7a5d76dc501a5736af4cc6f0001cd069b899556dbcaa289f06f0a11857926a7136bb3dafc4e6a137884c994

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8518.tmp

Filesize
664B

MD5
ed1bab54cddc9f70004d5a2c2d60ab6a

SHA1
bf8fa54a8d723a6c7016a298ccda66be8aca9fc9

SHA256
5612e99209397b717fc4e206e76c0e191afa877aeb507015a1649777757d8b6e

SHA512
59cdb9d2b0dff95ee231dc0bc3a6220ec10631ff4609aee2affa95066f747f1aaf2b35d8d77137faf1a673cf348f7227940e46c416dd762cba4343cf4c57ef10

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB86.tmp

Filesize
664B

MD5
6961c6c877841390cdb5121fd63a64be

SHA1
131213bcf42aae26ca2c6acbac1cd32bf9ee45bd

SHA256
a7d3dcdb7bb4ded169c0907b5adfbaa9847c3f429ab1b503b58190e77dd9db54

SHA512
6d2443fbe018336c5fda6cc858fc43e545b139b39fd9ddd05e762029ad7f05b8abc9371faf8be0de93c93411192c931fa6fcde7ac3c9a3f3b922368fc352fd08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qe0pwj1n.0.cs

Filesize
11KB

MD5
9b31b087defc46a2b0d8ba3ff1c11261

SHA1
5cf83130b200358b0ba9e5793bd3cd5eeb2ff701

SHA256
8dc593351bf10333383d12cad10f343a627c437962bc8ac67faeed920404c9a7

SHA512
3a7e0cce69fe989191357beec49253f36c95861617574591fc4b2598e30f7eda7b425f747b536e9d74beb1b61a08b4d99db2a2ef4c1bb610baddbe60c4318500

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qe0pwj1n.cmdline

Filesize
639B

MD5
fca42d697feb88742a5290a4a0a1894e

SHA1
aa26124a930875f2132a5e282880baea4e0a91c3

SHA256
24c52cbd5ab969b0a2a8c95ab12e1ca1fe8d76a14602cc873f5e81a60daa1935

SHA512
2264265f0c481c9bc0165aee250bcf01c80a6cc1c2e1d595c3e996d81c887a91083e9a4499e406d421446c6343ca86d1598529015e69e941bd209bd0f49ab072

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\winy_mqs.0.cs

Filesize
10KB

MD5
fd6cedd02c6d195e2e500b2b25e1a108

SHA1
114a6db72863cd215791d278bf7ceda8924a899f

SHA256
08b261305f63e393c5a350e599585b08c80701d3124f6514673154266ee49772

SHA512
fe08f9a126cd86f59d82f2055f2055d44cf6532ae7d3027fe271beffa9069ebce0c3b862681fd4aa4f7cc226b587f0a1c7257c795dd5e2685feb635a1f40335b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\winy_mqs.cmdline

Filesize
639B

MD5
031969cb3f94082000d01fe85eba9a02

SHA1
e95fe091a6a35d46a617203c0e421f4186bebd87

SHA256
1bacb9a427483eb61ac71c537f41dce7bb764bb45ab54f68b541e1afd7e3de7a

SHA512
f439e572c70b12ada6de972a98df15f7eb5a346a6b5edf15bc4c1d09394a8df0b7d677ca7d24319739e75f0866bda4e6c6051448aa199907b6b9ef5fdf2e50a3

Download Submit
memory/1452-63-0x0000000001F48000-0x0000000001F4C000-memory.dmp

Filesize
16KB

Download
memory/1452-65-0x0000000001F28000-0x0000000001F47000-memory.dmp

Filesize
124KB

Download
memory/1452-54-0x000007FEF3D60000-0x000007FEF4783000-memory.dmp

Filesize
10.1MB

Download
memory/1452-56-0x0000000001F28000-0x0000000001F47000-memory.dmp

Filesize
124KB

Download
memory/1452-55-0x000007FEED780000-0x000007FEEE816000-memory.dmp

Filesize
16.6MB

Download
memory/1452-73-0x0000000001F28000-0x0000000001F47000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads