0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9

Analysis

max time kernel
112s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe
Size

172KB
MD5

1861263d3c9cbbda0a963a86601a3df0
SHA1

19932aa314e59267d85a8c2b963fb1cd6f5313c8
SHA256

0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9
SHA512

01f83def90a94c6abd62e44d1314bdbcb9f0c7021e8ad9c316ae393c678a653b832d6825269a1631b1aad67a2ef192d1986f1546de79db1f0a61aab6cd4dfab0
SSDEEP

1536:d/Ph1p1xDIjx1c+LYLCXsxeAS1RP6u7LGto69F4ZBbuLHhaFo2DHhOEgxSYRoYTN:dHL2jx5LYCCF4ZBbuL2o2dKxFVFSU

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe
File created	C:\Windows\assembly\Desktop.ini	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3548	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe
Token: 33	3548	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe
Token: SeIncBasePriorityPrivilege	3548	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 4768	3548	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe	81
PID 3548 wrote to memory of 4768	3548	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe	81
PID 4768 wrote to memory of 3404	4768	csc.exe	82
PID 4768 wrote to memory of 3404	4768	csc.exe	82
PID 3548 wrote to memory of 4528	3548	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe	84
PID 3548 wrote to memory of 4528	3548	0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe	84
PID 4528 wrote to memory of 4184	4528	csc.exe	85
PID 4528 wrote to memory of 4184	4528	csc.exe	85

C:\Users\Admin\AppData\Local\Temp\0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe
"C:\Users\Admin\AppData\Local\Temp\0cf354bce568a67472ed00ab81c4a30df6c39c922afdb181f5c0b141a9ade9e9.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\omylo4kx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99A6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC99A5.tmp"
    3⤵
    PID:3404
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bxzbrf7d.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA128.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA127.tmp"
    3⤵
    PID:4184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES99A6.tmp

Filesize
1KB

MD5
59babbcb19a7b64d5891f3602c901a19

SHA1
80bb574aa14d2ed2379ebcc7fdd00cfb608ad7c2

SHA256
1e1fd7bf1193c657f83ffbf2bc5ad5d56aad82798da23e8e5fb81416dcc104b4

SHA512
4a51feed34434578f177630334fbd9ca0d8700137ac2f2e067675cdf20b8b5057ef90d8988e87259378c47d7e45382dd1285df92722c6c56483cbff1d38bcfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA128.tmp

Filesize
1KB

MD5
2cba6d58f905ad7c9359d6d4e4e4d57a

SHA1
3561b5e6dd63de47aa8101af36b0d3d97b7f31d3

SHA256
f1649335e687c2e3a9fce91f448a1007e723f0944e043a8ada2ebb74fb01f86b

SHA512
1703d97b85d2172188e1460ca8b315ae8cd5df1fadebfdee2d7116f543799b9bcd104a4e5049b741fc63adc708d74130cac51354d176c0b5e19943bfe294445f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxzbrf7d.dll

Filesize
9KB

MD5
beb8f9b5ea4df8bd97f03a76b7de9356

SHA1
a703e89a301d3124d6d73a8fffcb6038b4cac926

SHA256
ed094f5f55526a21686aefaf53200814e9fd86e5ea101c0e239896826810edf5

SHA512
2011a107b38c5c4589f666125c4fdf60ae6e7bbd43bff9187a78a2f4abb6596e1e9936533c52778e7c0314165c0f8487e4500aa7adaf3e5eae9d9cd9ddc8eb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\omylo4kx.dll

Filesize
8KB

MD5
9aa472f706746214008dec159b5d9bf9

SHA1
4138c171908fe4018e64d70024233eadf8dceee1

SHA256
11347daf3fa66821ba6aa34dffde0d3707df7665b89717b21aa674c3e1dd6b8c

SHA512
0adb7eedffe9c763f481ad8bd3855ba26cec0b63d479e67a4d583e37b55d719035d94aec65886170eac828c5ea0043e030c5ee6091d2a4fa4df8c6e716bacd33

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC99A5.tmp

Filesize
664B

MD5
2e3aeaef56607ab3e1e7e80abc28a3b8

SHA1
c09102915ea39c5c64a49033df55b2a52529eb47

SHA256
61bae08885ecff6b9f8f09b21b2e14a937b686f862222160d617bf8f1606412a

SHA512
cf7332d874587431b1871566e8acf736e17cef2a440f5a7d616cfc92777e6650ff388772998bfa909651b642454400440d2903ca5e9faf2270a6bd52fd96a9f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA127.tmp

Filesize
664B

MD5
6d1f294385c70fafe58e429f7c4672fe

SHA1
13893054a5c9fe2d0b7f4fef6365d04cd679d92e

SHA256
52e1dbd9e51c3b523896c944d652b3681de86ad0e9f4dd49ce3aee7350a5dae0

SHA512
2e8cab54c50dd6a5d7e92f7bfa4707fd02347881f56f6d22f0a572dc59c99933a3a02e2c47e35311d7e85e79203a9788b413a2d08b1d80bedc4edd1720cd16e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bxzbrf7d.0.cs

Filesize
11KB

MD5
9b31b087defc46a2b0d8ba3ff1c11261

SHA1
5cf83130b200358b0ba9e5793bd3cd5eeb2ff701

SHA256
8dc593351bf10333383d12cad10f343a627c437962bc8ac67faeed920404c9a7

SHA512
3a7e0cce69fe989191357beec49253f36c95861617574591fc4b2598e30f7eda7b425f747b536e9d74beb1b61a08b4d99db2a2ef4c1bb610baddbe60c4318500

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bxzbrf7d.cmdline

Filesize
639B

MD5
b62f36a4456d68ccc77c712623c7d6ac

SHA1
be8dfe0b1334ffe14aaeb05f323d8403883d81b9

SHA256
5b1ccc9ad89306acc273219bb92a2e8c54dfd6e823e41f49eab2a437d3d2d9b3

SHA512
2141c6922f6eb59b4d116c488378a5264c2f671f2c3981b4ca5a449e6038f1550ccc72ae409676d6b5550b849463f104b4d57348801dde5bf6b6b1b8d7f48169

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\omylo4kx.0.cs

Filesize
10KB

MD5
fd6cedd02c6d195e2e500b2b25e1a108

SHA1
114a6db72863cd215791d278bf7ceda8924a899f

SHA256
08b261305f63e393c5a350e599585b08c80701d3124f6514673154266ee49772

SHA512
fe08f9a126cd86f59d82f2055f2055d44cf6532ae7d3027fe271beffa9069ebce0c3b862681fd4aa4f7cc226b587f0a1c7257c795dd5e2685feb635a1f40335b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\omylo4kx.cmdline

Filesize
639B

MD5
f4e3e4dc0ed82b40b638f7a60da64e43

SHA1
67dcf67166660dcbfe4620698f2d7182d1e3cfe6

SHA256
48f60e2562cd3712936028996e7639cc3f0ad40f97212bbf6b93a0dc1049206c

SHA512
544c40cc49333fc27945d9ea5dafdad66a2ee11a0b6f78f03225e044472ef7e4ffac327e5c1ab3c9c34d192c79216094f7aa7e0d8b4d6f4c05732151b0ba75b0

Download Submit
memory/3548-141-0x000000001D0F0000-0x000000001D1F0000-memory.dmp

Filesize
1024KB

Download
memory/3548-132-0x00007FFDB5190000-0x00007FFDB5BC6000-memory.dmp

Filesize
10.2MB

Download
memory/3548-133-0x000000000191A000-0x000000000191F000-memory.dmp

Filesize
20KB

Download
memory/3548-149-0x000000000191A000-0x000000000191F000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads