5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6

Analysis

max time kernel
185s
max time network
208s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe
Size

166KB
MD5

e0a266ad3ec80741f42327619c4a6f1e
SHA1

d6a181ef9ac7c23865f3b78b731a29ed43f575dc
SHA256

5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6
SHA512

8e005958abc33c83f8070a66b68b4f2ae46bca3c09eeeb93a2d1d37424a0a468ee6c93114f26c49b462a42fd77f7ca9501bae7c33f44b4c33f6d75d85a5ec3ab
SSDEEP

3072:aOFgpj3G5oFs3ygWwq/Ot881Tfs4Nij+tzE5iL+2+g:aOqpj3GiFUpWXh8WaijQmiL+Bg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1068	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1392 set thread context of 1156	1392	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1156	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1156	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1392	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1156	1392	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	28
PID 1392 wrote to memory of 1156	1392	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	28
PID 1392 wrote to memory of 1156	1392	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	28
PID 1392 wrote to memory of 1156	1392	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	28
PID 1392 wrote to memory of 1156	1392	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	28
PID 1392 wrote to memory of 1156	1392	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	28
PID 1392 wrote to memory of 1156	1392	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	28
PID 1392 wrote to memory of 1156	1392	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	28
PID 1392 wrote to memory of 1156	1392	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	28
PID 1392 wrote to memory of 1156	1392	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	28
PID 1156 wrote to memory of 1068	1156	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	29
PID 1156 wrote to memory of 1068	1156	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	29
PID 1156 wrote to memory of 1068	1156	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	29
PID 1156 wrote to memory of 1068	1156	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	29
PID 1156 wrote to memory of 1272	1156	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	14
PID 1156 wrote to memory of 1272	1156	5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe
  "C:\Users\Admin\AppData\Local\Temp\5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe
    "C:\Users\Admin\AppData\Local\Temp\5a500641b54b434d13251592dae967c29a42c2dcd7912a9c7e99068f4a1787f6.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\\6747145~.bat"
      4⤵
      Deletes itself
      PID:1068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6747145~.bat

Filesize
205B

MD5
5b022538843e800893516a47b8eb2500

SHA1
5440a50be0588b925f60e0bb8963e71853eac13d

SHA256
723a185c98f3a2031c1bcfbab752a3f81abb5e3c96bd4acca0113aaff5299f4e

SHA512
916bac3ef566d2edff820b02a240ed726876f444a4ab35fc1983d7482b6ef8c635ff29013013c2260b1d0832e6d3b93aebe861e219853fc7aae8c2ea7a28aaf0

Download Submit
memory/1156-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1156-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1156-60-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1156-62-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1272-64-0x0000000073C60000-0x0000000073C80000-memory.dmp

Filesize
128KB

Download
memory/1272-65-0x0000000073C60000-0x0000000073C80000-memory.dmp

Filesize
128KB

Download