c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe
Size

20KB
MD5

d704e6a597ec32e32681c936f8721efc
SHA1

204256008637106f893c1215c4585f6566c0420b
SHA256

c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434
SHA512

ba48e4afb23ceeda08747d20f8d3b98c56bdaaa28c456c405a0f23d01c24272f6956c7bdac0c5c48002c019b75773f0788f5e622516f686c0f77a7360452d1c7
SSDEEP

384:uDL2pWLIJfR1c0mSXURN5vy2N1iXWFcdQt/ujT5BFZ49/1gCRMS:uHduU0bERNE2SWF066bFZM1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1376	WinHrgd32.exe

Deletes itself 1 IoCs

pid	Process
336	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1760	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe
1760	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHrgd32.exe	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe
File opened for modification	C:\Windows\SysWOW64\WinHrgd32.exe	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe
File created	C:\Windows\SysWOW64\WinHrgd32.exe	WinHrgd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1760	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe
Token: SeIncBasePriorityPrivilege	1376	WinHrgd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1376	1760	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe	28
PID 1760 wrote to memory of 1376	1760	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe	28
PID 1760 wrote to memory of 1376	1760	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe	28
PID 1760 wrote to memory of 1376	1760	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe	28
PID 1760 wrote to memory of 336	1760	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe	30
PID 1760 wrote to memory of 336	1760	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe	30
PID 1760 wrote to memory of 336	1760	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe	30
PID 1760 wrote to memory of 336	1760	c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe	30
PID 1376 wrote to memory of 1552	1376	WinHrgd32.exe	29
PID 1376 wrote to memory of 1552	1376	WinHrgd32.exe	29
PID 1376 wrote to memory of 1552	1376	WinHrgd32.exe	29
PID 1376 wrote to memory of 1552	1376	WinHrgd32.exe	29

C:\Users\Admin\AppData\Local\Temp\c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe
"C:\Users\Admin\AppData\Local\Temp\c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\WinHrgd32.exe
  "C:\Windows\system32\WinHrgd32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\WINHRG~1.EXE > nul
    3⤵
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C9B749~1.EXE > nul
  2⤵
  - Deletes itself
  PID:336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WinHrgd32.exe

Filesize
20KB

MD5
d704e6a597ec32e32681c936f8721efc

SHA1
204256008637106f893c1215c4585f6566c0420b

SHA256
c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434

SHA512
ba48e4afb23ceeda08747d20f8d3b98c56bdaaa28c456c405a0f23d01c24272f6956c7bdac0c5c48002c019b75773f0788f5e622516f686c0f77a7360452d1c7

Download Submit
C:\Windows\SysWOW64\WinHrgd32.exe

Filesize
20KB

MD5
d704e6a597ec32e32681c936f8721efc

SHA1
204256008637106f893c1215c4585f6566c0420b

SHA256
c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434

SHA512
ba48e4afb23ceeda08747d20f8d3b98c56bdaaa28c456c405a0f23d01c24272f6956c7bdac0c5c48002c019b75773f0788f5e622516f686c0f77a7360452d1c7

Download Submit
\Windows\SysWOW64\WinHrgd32.exe

Filesize
20KB

MD5
d704e6a597ec32e32681c936f8721efc

SHA1
204256008637106f893c1215c4585f6566c0420b

SHA256
c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434

SHA512
ba48e4afb23ceeda08747d20f8d3b98c56bdaaa28c456c405a0f23d01c24272f6956c7bdac0c5c48002c019b75773f0788f5e622516f686c0f77a7360452d1c7

Download Submit
\Windows\SysWOW64\WinHrgd32.exe

Filesize
20KB

MD5
d704e6a597ec32e32681c936f8721efc

SHA1
204256008637106f893c1215c4585f6566c0420b

SHA256
c9b749c947f06098b8f41e0064e33dd470f26943f9292a0d56dd1295162c7434

SHA512
ba48e4afb23ceeda08747d20f8d3b98c56bdaaa28c456c405a0f23d01c24272f6956c7bdac0c5c48002c019b75773f0788f5e622516f686c0f77a7360452d1c7

Download Submit
memory/336-61-0x0000000000000000-mapping.dmp

Download
memory/1376-57-0x0000000000000000-mapping.dmp

Download
memory/1552-62-0x0000000000000000-mapping.dmp

Download
memory/1760-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download