f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e

Analysis

max time kernel
129s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe
Size

288KB
MD5

6d7a316f9c502dba3d465c05e715e25f
SHA1

632b20a2d76ec12676c6f95fb181c13ce2bdbe43
SHA256

f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e
SHA512

bb92be1de1c51a9e141b06943d74c64346a88d90f979956356ac23e36e91adf75160ac09314c310d05bb2c873d8757c3d167a82925dd177f61333d50b95a4f64
SSDEEP

3072:WF5xe8JzDGCfu+z4Ql1vMT3tPR5dwygI6+XGPDd4kwCEWdEwTaUjI0YFz:Q/ZtZfu+jl1UTdPRLKIvXGPDXFI0YF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5036	smlogse.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5036 set thread context of 3672	5036	smlogse.exe	84

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\smlogse.exe	f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe
File created	C:\Program Files\smlogse.exe	f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe
Token: SeDebugPrivilege	5036	smlogse.exe
Token: SeDebugPrivilege	3672	userinit.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 5036	3604	f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe	83
PID 3604 wrote to memory of 5036	3604	f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe	83
PID 3604 wrote to memory of 5036	3604	f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe	83
PID 5036 wrote to memory of 3672	5036	smlogse.exe	84
PID 5036 wrote to memory of 3672	5036	smlogse.exe	84
PID 5036 wrote to memory of 3672	5036	smlogse.exe	84
PID 5036 wrote to memory of 3672	5036	smlogse.exe	84
PID 5036 wrote to memory of 3672	5036	smlogse.exe	84
PID 3604 wrote to memory of 4848	3604	f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe	85
PID 3604 wrote to memory of 4848	3604	f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe	85
PID 3604 wrote to memory of 4848	3604	f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe	85

C:\Users\Admin\AppData\Local\Temp\f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe
"C:\Users\Admin\AppData\Local\Temp\f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Program Files\smlogse.exe
  "C:\Program Files\smlogse.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\SYSTEM32\userinit.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e.exe"
  2⤵
  PID:4848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\smlogse.exe

Filesize
288KB

MD5
6d7a316f9c502dba3d465c05e715e25f

SHA1
632b20a2d76ec12676c6f95fb181c13ce2bdbe43

SHA256
f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e

SHA512
bb92be1de1c51a9e141b06943d74c64346a88d90f979956356ac23e36e91adf75160ac09314c310d05bb2c873d8757c3d167a82925dd177f61333d50b95a4f64

Download Submit
C:\Program Files\smlogse.exe

Filesize
288KB

MD5
6d7a316f9c502dba3d465c05e715e25f

SHA1
632b20a2d76ec12676c6f95fb181c13ce2bdbe43

SHA256
f2dc2850ed9cbf5327c4bd91860df1070ff8e58d1e704128b4fa439efc4dfa3e

SHA512
bb92be1de1c51a9e141b06943d74c64346a88d90f979956356ac23e36e91adf75160ac09314c310d05bb2c873d8757c3d167a82925dd177f61333d50b95a4f64

Download Submit
memory/3604-143-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/3604-135-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/3672-138-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/3672-137-0x0000000000000000-mapping.dmp

Download
memory/3672-141-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/3672-139-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/3672-144-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4848-142-0x0000000000000000-mapping.dmp

Download
memory/5036-132-0x0000000000000000-mapping.dmp

Download
memory/5036-140-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/5036-136-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download