af61d6c0d7d36d9b28a053d293a659856e8bcf398d1c9813dbf0eb6ad7197102

Analysis

max time kernel
60s
max time network
61s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af61d6c0d7d36d9b28a053d293a659856e8bcf398d1c9813dbf0eb6ad7197102.exe
Size

459KB
MD5

12c26f36270d75f6c6f5459017a452ee
SHA1

1297187b96c2b364d7ff6f04c31d9f2efc65a84a
SHA256

af61d6c0d7d36d9b28a053d293a659856e8bcf398d1c9813dbf0eb6ad7197102
SHA512

58cdcdc8b6452868e1cc9dc007dea35c87f1b0ae55d5123ad4122a88606d936689f5f18a5bdd876927f215c78f1283aa1d6bb5e418becca6e834ab95a59f3787
SSDEEP

12288:QEJc3NtO7cP9wzlVVBnDrmOdxZzukO9VmBCB+:AtOAyzzvn+4kkyV+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1628	xtjbsatzvegxca.exe

Loads dropped DLL 2 IoCs

pid	Process
844	af61d6c0d7d36d9b28a053d293a659856e8bcf398d1c9813dbf0eb6ad7197102.exe
844	af61d6c0d7d36d9b28a053d293a659856e8bcf398d1c9813dbf0eb6ad7197102.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	xtjbsatzvegxca.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1628	xtjbsatzvegxca.exe
1628	xtjbsatzvegxca.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1628	844	af61d6c0d7d36d9b28a053d293a659856e8bcf398d1c9813dbf0eb6ad7197102.exe	28
PID 844 wrote to memory of 1628	844	af61d6c0d7d36d9b28a053d293a659856e8bcf398d1c9813dbf0eb6ad7197102.exe	28
PID 844 wrote to memory of 1628	844	af61d6c0d7d36d9b28a053d293a659856e8bcf398d1c9813dbf0eb6ad7197102.exe	28
PID 844 wrote to memory of 1628	844	af61d6c0d7d36d9b28a053d293a659856e8bcf398d1c9813dbf0eb6ad7197102.exe	28

C:\Users\Admin\AppData\Local\Temp\af61d6c0d7d36d9b28a053d293a659856e8bcf398d1c9813dbf0eb6ad7197102.exe
"C:\Users\Admin\AppData\Local\Temp\af61d6c0d7d36d9b28a053d293a659856e8bcf398d1c9813dbf0eb6ad7197102.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844
- C:\Users\Admin\AppData\Local\Temp\dddslgczsldg\xtjbsatzvegxca.exe
  "C:\Users\Admin\AppData\Local\Temp\dddslgczsldg\xtjbsatzvegxca.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dddslgczsldg\parent.txt

Filesize
459KB

MD5
12c26f36270d75f6c6f5459017a452ee

SHA1
1297187b96c2b364d7ff6f04c31d9f2efc65a84a

SHA256
af61d6c0d7d36d9b28a053d293a659856e8bcf398d1c9813dbf0eb6ad7197102

SHA512
58cdcdc8b6452868e1cc9dc007dea35c87f1b0ae55d5123ad4122a88606d936689f5f18a5bdd876927f215c78f1283aa1d6bb5e418becca6e834ab95a59f3787

Download Submit
C:\Users\Admin\AppData\Local\Temp\dddslgczsldg\xtjbsatzvegxca.exe

Filesize
7KB

MD5
3b1d3da580167781b8c3e1d3d4e1d0a4

SHA1
7a85968bc68d12650c16d3a85a20b92a8a51fa23

SHA256
5f1e1653439acfbaba0e04c7464032ce7e3c42fffadba9ddb5ccc9441ec73114

SHA512
6e1a602a73eb1d16ea458b3af59951c6c390b972396f2a57ef4b544c4dbee125c8f083bd5f0af6531c575d79ef79f23fd94ff95d8dc9eeb3129c4bf3e198c86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dddslgczsldg\xtjbsatzvegxca.exe

Filesize
7KB

MD5
3b1d3da580167781b8c3e1d3d4e1d0a4

SHA1
7a85968bc68d12650c16d3a85a20b92a8a51fa23

SHA256
5f1e1653439acfbaba0e04c7464032ce7e3c42fffadba9ddb5ccc9441ec73114

SHA512
6e1a602a73eb1d16ea458b3af59951c6c390b972396f2a57ef4b544c4dbee125c8f083bd5f0af6531c575d79ef79f23fd94ff95d8dc9eeb3129c4bf3e198c86c

Download Submit
\Users\Admin\AppData\Local\Temp\dddslgczsldg\xtjbsatzvegxca.exe

Filesize
7KB

MD5
3b1d3da580167781b8c3e1d3d4e1d0a4

SHA1
7a85968bc68d12650c16d3a85a20b92a8a51fa23

SHA256
5f1e1653439acfbaba0e04c7464032ce7e3c42fffadba9ddb5ccc9441ec73114

SHA512
6e1a602a73eb1d16ea458b3af59951c6c390b972396f2a57ef4b544c4dbee125c8f083bd5f0af6531c575d79ef79f23fd94ff95d8dc9eeb3129c4bf3e198c86c

Download Submit
\Users\Admin\AppData\Local\Temp\dddslgczsldg\xtjbsatzvegxca.exe

Filesize
7KB

MD5
3b1d3da580167781b8c3e1d3d4e1d0a4

SHA1
7a85968bc68d12650c16d3a85a20b92a8a51fa23

SHA256
5f1e1653439acfbaba0e04c7464032ce7e3c42fffadba9ddb5ccc9441ec73114

SHA512
6e1a602a73eb1d16ea458b3af59951c6c390b972396f2a57ef4b544c4dbee125c8f083bd5f0af6531c575d79ef79f23fd94ff95d8dc9eeb3129c4bf3e198c86c

Download Submit
memory/1628-59-0x000007FEF34D0000-0x000007FEF3EF3000-memory.dmp

Filesize
10.1MB

Download
memory/1628-60-0x000007FEF1DF0000-0x000007FEF2E86000-memory.dmp

Filesize
16.6MB

Download
memory/1628-61-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download