bd9d0c1b9a79866886cb7ad8dfeb2b4cc6c45b6d4e592e6ba1250021200f1524

Analysis

max time kernel
131s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 05:24

Target

bd9d0c1b9a79866886cb7ad8dfeb2b4cc6c45b6d4e592e6ba1250021200f1524.exe
Size

31KB
MD5

e05a1388921c8d11e9197bfb33db5505
SHA1

02d1c94e019d52b95686c122a67e4bf6290c4af0
SHA256

bd9d0c1b9a79866886cb7ad8dfeb2b4cc6c45b6d4e592e6ba1250021200f1524
SHA512

5dbeeea29ff0867e1cc394ecc0aaef86cf42b9196790557708c02118c8addfb81c69cfc1087dffa96c3bbaac9d64e410d8df2df6458652d584c2d02fe8f4ae58
SSDEEP

768:NZ9jOK9WHaRbvOzjBj+86Jh49kPDeOuM3cRQSv+mch:N3OIW6RbOzjx+PJgkPDWRRQU+f

Score

8^/10

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\usbinite.sys	nrpasonm.exe

Executes dropped EXE 1 IoCs

pid	Process
3848	nrpasonm.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4788	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3848	nrpasonm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3388	bd9d0c1b9a79866886cb7ad8dfeb2b4cc6c45b6d4e592e6ba1250021200f1524.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 3848	3388	bd9d0c1b9a79866886cb7ad8dfeb2b4cc6c45b6d4e592e6ba1250021200f1524.exe	80
PID 3388 wrote to memory of 3848	3388	bd9d0c1b9a79866886cb7ad8dfeb2b4cc6c45b6d4e592e6ba1250021200f1524.exe	80
PID 3388 wrote to memory of 3848	3388	bd9d0c1b9a79866886cb7ad8dfeb2b4cc6c45b6d4e592e6ba1250021200f1524.exe	80
PID 3848 wrote to memory of 816	3848	nrpasonm.exe	10
PID 3848 wrote to memory of 816	3848	nrpasonm.exe	10
PID 3388 wrote to memory of 4896	3388	bd9d0c1b9a79866886cb7ad8dfeb2b4cc6c45b6d4e592e6ba1250021200f1524.exe	81
PID 3388 wrote to memory of 4896	3388	bd9d0c1b9a79866886cb7ad8dfeb2b4cc6c45b6d4e592e6ba1250021200f1524.exe	81
PID 3388 wrote to memory of 4896	3388	bd9d0c1b9a79866886cb7ad8dfeb2b4cc6c45b6d4e592e6ba1250021200f1524.exe	81

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\bd9d0c1b9a79866886cb7ad8dfeb2b4cc6c45b6d4e592e6ba1250021200f1524.exe
"C:\Users\Admin\AppData\Local\Temp\bd9d0c1b9a79866886cb7ad8dfeb2b4cc6c45b6d4e592e6ba1250021200f1524.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\nrpasonm.exe
  C:\Users\Admin\AppData\Local\Temp\nrpasonm
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1.bat
  2⤵
  PID:4896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4788

C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
154B

MD5
2a29db6ab0e9e590db8d7916a1e5d65c

SHA1
185e172a5e1b9c8cad33c8b11e86522404480680

SHA256
e42937bfe0299b57b29520c7652170f9122f23d21df9e1e40a517396c67baf20

SHA512
76651a8094149f419babbc914fc34751e0ce584dfb41e67dcb3e39b9bbb8125f9e8851451517ede8ea4b40f6692f43ccc0f3453cf46fede85846b4ec2f6917a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrpasonm.exe

Filesize
27KB

MD5
ca5c0412dd42100988e91e5d1303af53

SHA1
914e7419e45f57c224001a5314bb04983e5590c9

SHA256
f5c813c4b676786a9304ff45ef8971ce183a472a59e5a70a2e8cd3635a24f0b8

SHA512
d98e744312841f745de89dcb5c59bf5ef495fe99e34f2e95858bd788c821bb310a960298f80af0dc4b59af616159887477daf236de562df285c93fff7daf55ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrpasonm.exe

Filesize
27KB

MD5
ca5c0412dd42100988e91e5d1303af53

SHA1
914e7419e45f57c224001a5314bb04983e5590c9

SHA256
f5c813c4b676786a9304ff45ef8971ce183a472a59e5a70a2e8cd3635a24f0b8

SHA512
d98e744312841f745de89dcb5c59bf5ef495fe99e34f2e95858bd788c821bb310a960298f80af0dc4b59af616159887477daf236de562df285c93fff7daf55ea

Download Submit
memory/3848-134-0x0000000000000000-mapping.dmp

Download
memory/4896-137-0x0000000000000000-mapping.dmp

Download