Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 20:36

General

  • Target

    ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe

  • Size

    314KB

  • MD5

    5154b54879098779ace257477c524cec

  • SHA1

    1b03fd2e17ee5c8a0ecd1b8aabad80c87338174a

  • SHA256

    ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2

  • SHA512

    28a90ac64f0c1964d077cd2556e760c207843fe0b0f318894efe8f5f755e9d326d6156821ff54c783ce82936b5f5c2507215d86d864a3047c8789adc8c0fa8ba

  • SSDEEP

    6144:SROaTaPB0LqOFV/+s08n2+SJXbXYqG7w51:S/GPmV/+snuJXbXzG

Score
6/10

Malware Config

Signatures

  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe
    "C:\Users\Admin\AppData\Local\Temp\ed72018e13161b4380f6339e1963d676f1a5e49d2fb86cf9e726727ef4bdd0c2.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h0eltmxb.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4368
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4DA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD4D9.tmp"
        3⤵
          PID:2760
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qxnoi9ns.cmdline"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29EF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC29EE.tmp"
          3⤵
            PID:4092

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES29EF.tmp

        Filesize

        1KB

        MD5

        6580ebed9ce5a541ce0ced94ee683d51

        SHA1

        756eea24276dc1f0f6ed7110528857b034c59bdf

        SHA256

        06055507e80de70fa57c6e968eda2653201712fdeaa5994f4e78b31da1dec726

        SHA512

        5d843ba4f2978eced1bc9ec7a38046b415706a8021e6e9983353b500e64fbdd6c106f6d6b6315efc6fcfc7440ede46ff823b69c96d80054f0d656ea251ec8b6b

      • C:\Users\Admin\AppData\Local\Temp\RESD4DA.tmp

        Filesize

        1KB

        MD5

        a0b70f599fe06f10cab4183c9000f310

        SHA1

        60d320ddcd5c75fc1bbffe7b876bda64c5aada86

        SHA256

        eb8c81a72a3f675bcdf9ab8b019a758fd5dc082bcce07ff035938eb0f167484e

        SHA512

        5791e984cb8349710a4e7b6bbcbb55baf283e8f6ab3ea7c2f23c73e83949c4e648c6fb69537de5dbcda4f1536150bf4a5be5273d3a941144110a163d5bbcf560

      • C:\Users\Admin\AppData\Local\Temp\h0eltmxb.dll

        Filesize

        8KB

        MD5

        21f9c3f3ecefb9439c5889bafb8b5331

        SHA1

        0d4e67f62255372738d3b732bfdd2f50f8243e0d

        SHA256

        12a17439a6b53954fb40a29023e1bfa0c2a386dbbe1e9831d674e85adf01bc93

        SHA512

        6858c8e14a53e71874121de8b4c7ba802cf15ad9311993d3c3089b51ea3de490613aee32aee0208ba3609d84beb922ba063f7812d50cf9b9dc602137212ac85d

      • C:\Users\Admin\AppData\Local\Temp\qxnoi9ns.dll

        Filesize

        9KB

        MD5

        f1d51f99aea82ff03d43000985f3a14c

        SHA1

        d076ed77b442698a6f9d7b34a161794751b26cd4

        SHA256

        24f93982dd1c4e38c08b36da35113ef27ec4d1b5da3287913057a02f0ab44020

        SHA512

        d86c6b8c0d7294366d2e262cc46e142224a83219b2510a37deff3f5c7bf5c75be814ced731385e2db97ad1c4278ac178fec95a113ee7819287647cab8de009c9

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC29EE.tmp

        Filesize

        652B

        MD5

        5f2c0dc6fc82fafaf798ef1bc9164c76

        SHA1

        7dbd80f92dd239a31820025ad8f368b8e82b1415

        SHA256

        f2f80dfd03dd4a51b9d44b58ad4f6831ee212f1066f26e008ebac4c65546ddff

        SHA512

        bb8512a57f3e32663c0c8fc9ee01bfbb4c575a91fedd6fd80ac7393c18eb7b39c283e91528afbaf49f6affba28219e5e14dd5ca1aafd12eb279c15655567dd55

      • \??\c:\Users\Admin\AppData\Local\Temp\CSCD4D9.tmp

        Filesize

        652B

        MD5

        570aacc357fe0ae3f025ed10b2d8fbdd

        SHA1

        3ce24aa2effb2619cb6d8a3f3cdbab4bbbef1f67

        SHA256

        57e2c9114c4372e3e715bd5c64566eee1b4c14686a63abc774c3941e55e5c6a4

        SHA512

        ac8d6a603fd1ca221cbc65bc7b2381653f62bfff29cbfb4426482a092883d5cd928974aec618403fbb4c76356902c07ed70c1d9c9f3a169f7264eb2cbfd31a61

      • \??\c:\Users\Admin\AppData\Local\Temp\h0eltmxb.0.cs

        Filesize

        10KB

        MD5

        fb01217e8ce4a28a622198e32c3e3379

        SHA1

        8b4614e295fbb55238f8f1e2daac85115906eb87

        SHA256

        4aa0bb88bc1631647e34d7b653c7b076ef6fd46855425aa03215f8f0d21f90fb

        SHA512

        22c7012362aee88d9fa80bbcd4fc6f3aa6322381e01b4f5034d385f91400c39657bb1985762db799fd2cfb99bbc12b20c3598259b26ad8a30a7a144e39e8038a

      • \??\c:\Users\Admin\AppData\Local\Temp\h0eltmxb.cmdline

        Filesize

        639B

        MD5

        3853f4f347f606287e9401dc54301ce4

        SHA1

        e30fcac1fba21b69e200d3190a901a9b8cd23ef7

        SHA256

        46267586ccdfc53aa83c72995d19a8fb3256cf26fb07f05b923e1e99177a5843

        SHA512

        bf84db2acbe597417f4543b712a366a33ff45d7d475a11e3851970c1ec9c00f00b6dadc2f449ad9833f054656ff0d62e7af0affd91aa6419d4dcded0ccbe2553

      • \??\c:\Users\Admin\AppData\Local\Temp\qxnoi9ns.0.cs

        Filesize

        11KB

        MD5

        2bfb1dde57a4172c76292f3765dca81c

        SHA1

        f1aa7d32d70d0c91d353396ad026edf7d7923d40

        SHA256

        71d68c299d69bf541816338a86d7ebef6ac56f82e5a93b3aee6794d4d00cd942

        SHA512

        2a70be783887e4d1544d8a68d3fb6a0db240066223dc413be89f3b2765cd73df0d2a6a79bcb6f3971bda24d3fb582cc98bbd35fcd947032bc2c16db2325b00fb

      • \??\c:\Users\Admin\AppData\Local\Temp\qxnoi9ns.cmdline

        Filesize

        639B

        MD5

        4abd13e7a162655cecb316d8e66fc27f

        SHA1

        6b34a3c7f62b9c7fa3f0e9273179eb212ba70c00

        SHA256

        45a3996c9663e1d23294f2d3fc25096167022a61f6d3b4e70c902ed7cde7e299

        SHA512

        cce43441a6c3b290c88c89324e878db6cae123e283a9cc1731ca4556f95f82d24fb2952cade6ab6a8f022d0df2960b14cedc670c996861d619a715faf2a58883

      • memory/1572-142-0x0000000000000000-mapping.dmp

      • memory/2620-132-0x00007FFE4D6F0000-0x00007FFE4E126000-memory.dmp

        Filesize

        10.2MB

      • memory/2620-141-0x0000000000FDA000-0x0000000000FDF000-memory.dmp

        Filesize

        20KB

      • memory/2620-133-0x0000000000FDA000-0x0000000000FDF000-memory.dmp

        Filesize

        20KB

      • memory/2760-137-0x0000000000000000-mapping.dmp

      • memory/4092-145-0x0000000000000000-mapping.dmp

      • memory/4368-134-0x0000000000000000-mapping.dmp