c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d

Analysis

max time kernel
113s
max time network
155s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 13:55

Target

c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe
Size

743KB
MD5

f3badf83a37d8d6c38d92fc54b6bae5a
SHA1

12af6d113eb40d9191fe6dd8eef99edc7fc35761
SHA256

c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d
SHA512

0990e1aa38253207c1d2b16fd14d0287e279b8282f326fd1588bc8bd31cccc40facbf97c776b62f33c330db4cec1ad15fdac048b67963f7d39fe79b7c400918b
SSDEEP

12288:kRyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5Hpnrz4:IStU4gf2EW5A2DJr/kS4vGIk6v3Hf

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
860	123.exe

Deletes itself 1 IoCs

pid	Process
1500	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe
File created	C:\Windows\123.exe	c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe
File opened for modification	C:\Windows\123.exe	c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe
Token: SeDebugPrivilege	860	123.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
860	123.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 932	860	123.exe	29
PID 860 wrote to memory of 932	860	123.exe	29
PID 860 wrote to memory of 932	860	123.exe	29
PID 860 wrote to memory of 932	860	123.exe	29
PID 1324 wrote to memory of 1500	1324	c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe	30
PID 1324 wrote to memory of 1500	1324	c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe	30
PID 1324 wrote to memory of 1500	1324	c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe	30
PID 1324 wrote to memory of 1500	1324	c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe	30
PID 1324 wrote to memory of 1500	1324	c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe	30
PID 1324 wrote to memory of 1500	1324	c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe	30
PID 1324 wrote to memory of 1500	1324	c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe	30

C:\Users\Admin\AppData\Local\Temp\c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe
"C:\Users\Admin\AppData\Local\Temp\c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:1500

C:\Windows\123.exe
C:\Windows\123.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:860
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:932

C:\Windows\123.exe

Filesize
743KB

MD5
f3badf83a37d8d6c38d92fc54b6bae5a

SHA1
12af6d113eb40d9191fe6dd8eef99edc7fc35761

SHA256
c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d

SHA512
0990e1aa38253207c1d2b16fd14d0287e279b8282f326fd1588bc8bd31cccc40facbf97c776b62f33c330db4cec1ad15fdac048b67963f7d39fe79b7c400918b

Download Submit
C:\Windows\123.exe

Filesize
743KB

MD5
f3badf83a37d8d6c38d92fc54b6bae5a

SHA1
12af6d113eb40d9191fe6dd8eef99edc7fc35761

SHA256
c3e86b5aaa7f282d38a7fed99b6f72c67d257fc5ca95358159b393828d54a70d

SHA512
0990e1aa38253207c1d2b16fd14d0287e279b8282f326fd1588bc8bd31cccc40facbf97c776b62f33c330db4cec1ad15fdac048b67963f7d39fe79b7c400918b

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
0246c23b42e3a092a0f9f24b7f1bf2b3

SHA1
7a39116f8a7c88fb0bc4f6a8695ba996ac0402c0

SHA256
c88c4e61dd7aa59ba9e318da28d7c01cb0ad397b137315e66668961129d212b9

SHA512
b1896a2cd2cbc6f4e177b1ad3f088835e853e81630bc852d3a885fcc922197321aa0408d02ed10a8b4a5cda8ff3475a07d1d00be5615366b4415366d5b9a0024

Download Submit
memory/1324-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1500-58-0x0000000000000000-mapping.dmp

Download