c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 18:12

Target

c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359.exe
Size

750KB
MD5

d132515ab0fa06aa8a76295ec05b099d
SHA1

bc990d1c866045dd8254be01a2021c2fc54030fa
SHA256

c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359
SHA512

933f82a9e535f79028fd41f61b583be0ef710afea3f275a6a69d5c69d053e2c7a4eba4569e4286a51b998335e5c9417fcecb18420a424539ad5eb5082aca2145
SSDEEP

12288:HRn8S++U4u/n/8ZdW5A0zyo6JwQ5oAlK+GEHvZ+IkZwQQ52LYRgVpLPwPRtA:x8MU4ufMdW5A2mJr/kWHvsIkZXNU

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1312	help.com

Deletes itself 1 IoCs

pid	Process
320	cmd.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359.exe
File created	C:\Windows\SysWOW64\help.com	c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359.exe
File opened for modification	C:\Windows\SysWOW64\help.com	c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	help.com
File opened for modification	C:\Windows\SysWOW64\help.com	help.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\61642520.BAT	c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359.exe
Token: SeDebugPrivilege	1312	help.com

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 320	620	c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359.exe	28
PID 620 wrote to memory of 320	620	c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359.exe	28
PID 620 wrote to memory of 320	620	c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359.exe	28
PID 620 wrote to memory of 320	620	c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359.exe	28

C:\Users\Admin\AppData\Local\Temp\c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359.exe
"C:\Users\Admin\AppData\Local\Temp\c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\61642520.BAT
  2⤵
  - Deletes itself
  PID:320

C:\Windows\61642520.BAT

Filesize
254B

MD5
bd92d6d554005f7d487b297afa1bfe09

SHA1
aa96f1313ea186ff8ea56741a47be24c8d0a8110

SHA256
038b936437713de363202d894698dc65df4da01010420adb4a9322f5b5d6166e

SHA512
3dca7d3be289289399bf428315e414c4a84be8acacc96a55fb17c47c9d40089e24e30b31cf83194d4a53f1b7573e6d2e2cdf44029fede5c0e7c9d1706db9b336

Download Submit
C:\Windows\SysWOW64\help.com

Filesize
750KB

MD5
d132515ab0fa06aa8a76295ec05b099d

SHA1
bc990d1c866045dd8254be01a2021c2fc54030fa

SHA256
c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359

SHA512
933f82a9e535f79028fd41f61b583be0ef710afea3f275a6a69d5c69d053e2c7a4eba4569e4286a51b998335e5c9417fcecb18420a424539ad5eb5082aca2145

Download Submit
C:\Windows\SysWOW64\help.com

Filesize
750KB

MD5
d132515ab0fa06aa8a76295ec05b099d

SHA1
bc990d1c866045dd8254be01a2021c2fc54030fa

SHA256
c304fd7acf7fcb3dbab840f1d6dc0388d19627918e417ee9b6d60dc80c042359

SHA512
933f82a9e535f79028fd41f61b583be0ef710afea3f275a6a69d5c69d053e2c7a4eba4569e4286a51b998335e5c9417fcecb18420a424539ad5eb5082aca2145

Download Submit
memory/620-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/620-55-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1312-58-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download