f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6

Analysis

max time kernel
64s
max time network
75s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe
Size

97KB
MD5

f9cddad4e80cf5cd2cf51901810c5be1
SHA1

bdcfd2a712da59b61a38573c07e79aede1e805ec
SHA256

f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6
SHA512

53a5c48188e54cda064b02f8732c8483205ae380b67f3e5bcce1ca35826bfb0e63f3f09b19dac271db4b66937c276935c31823a145cc6b02840746301c6c2303
SSDEEP

1536:1gBJa29FUNUEeETS8UIihl3Y7vV1jLbCaL:1nKEeE27IihBu9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
944	svchost.exe
932	Guarder.exe

Deletes itself 1 IoCs

pid	Process
944	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
536	f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe
944	svchost.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Shared\Guarder.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Shared\Record.dat	f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Shared\svchost.exe	f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe
File created	C:\Program Files (x86)\Common Files\Shared\svchost.exe	f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Shared\RCXAC66.tmp	f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Shared\Guarder.exe	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1816	944	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
536	f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	932	Guarder.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
536	f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe
944	svchost.exe
944	svchost.exe
932	Guarder.exe
932	Guarder.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 944	536	f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe	28
PID 536 wrote to memory of 944	536	f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe	28
PID 536 wrote to memory of 944	536	f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe	28
PID 536 wrote to memory of 944	536	f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe	28
PID 944 wrote to memory of 932	944	svchost.exe	29
PID 944 wrote to memory of 932	944	svchost.exe	29
PID 944 wrote to memory of 932	944	svchost.exe	29
PID 944 wrote to memory of 932	944	svchost.exe	29
PID 944 wrote to memory of 1816	944	svchost.exe	31
PID 944 wrote to memory of 1816	944	svchost.exe	31
PID 944 wrote to memory of 1816	944	svchost.exe	31
PID 944 wrote to memory of 1816	944	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe
"C:\Users\Admin\AppData\Local\Temp\f027d9b59f2e4b4d45ee101b8a91b8e738d2b51c0a9a5fc3faefd71faea126a6.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536
- C:\Program Files (x86)\Common Files\Shared\svchost.exe
  "C:\Program Files (x86)\Common Files\Shared\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Program Files (x86)\Common Files\Shared\Guarder.exe
    944*C:\Program Files (x86)\Common Files\Shared\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 704
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Shared\Guarder.exe

Filesize
4.1MB

MD5
8ebfbdd0cc4f11031ae1790aee588d90

SHA1
9885dfe203ed646c48219c483213aba75b1cb074

SHA256
b32f9c16d7efbec0c98307f41410a1c997c52f2048c28c82e734b42da7d0988d

SHA512
c3209bf70dfcd1ea40a6acc76859fb7acae9a93bcc343590f215c247d682704b3aac341be8ca058960fe6ece3a06391d2e7abae338c108be73d5d4139c59aa52

Download Submit
C:\Program Files (x86)\Common Files\Shared\Record.dat

Filesize
260B

MD5
f35a14a5eaf13bd03a4346ac522560d5

SHA1
606c203960ebe649b997625bb1b8c659fa7c0c93

SHA256
b2a214fe87a471daf6795d5b358e63d7cc3f968870effd29c87d7ff083edb25b

SHA512
ed2477fd30170f98fdd2ac27f5d7944cad71966fac5f5f17a624402f3f5357f2246937ab1aedb38e47a9bd799062c245df2206427814e33c24691bfa4317e82e

Download Submit
C:\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
8ebfbdd0cc4f11031ae1790aee588d90

SHA1
9885dfe203ed646c48219c483213aba75b1cb074

SHA256
b32f9c16d7efbec0c98307f41410a1c997c52f2048c28c82e734b42da7d0988d

SHA512
c3209bf70dfcd1ea40a6acc76859fb7acae9a93bcc343590f215c247d682704b3aac341be8ca058960fe6ece3a06391d2e7abae338c108be73d5d4139c59aa52

Download Submit
C:\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
8ebfbdd0cc4f11031ae1790aee588d90

SHA1
9885dfe203ed646c48219c483213aba75b1cb074

SHA256
b32f9c16d7efbec0c98307f41410a1c997c52f2048c28c82e734b42da7d0988d

SHA512
c3209bf70dfcd1ea40a6acc76859fb7acae9a93bcc343590f215c247d682704b3aac341be8ca058960fe6ece3a06391d2e7abae338c108be73d5d4139c59aa52

Download Submit
\Program Files (x86)\Common Files\Shared\Guarder.exe

Filesize
4.1MB

MD5
8ebfbdd0cc4f11031ae1790aee588d90

SHA1
9885dfe203ed646c48219c483213aba75b1cb074

SHA256
b32f9c16d7efbec0c98307f41410a1c997c52f2048c28c82e734b42da7d0988d

SHA512
c3209bf70dfcd1ea40a6acc76859fb7acae9a93bcc343590f215c247d682704b3aac341be8ca058960fe6ece3a06391d2e7abae338c108be73d5d4139c59aa52

Download Submit
\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
8ebfbdd0cc4f11031ae1790aee588d90

SHA1
9885dfe203ed646c48219c483213aba75b1cb074

SHA256
b32f9c16d7efbec0c98307f41410a1c997c52f2048c28c82e734b42da7d0988d

SHA512
c3209bf70dfcd1ea40a6acc76859fb7acae9a93bcc343590f215c247d682704b3aac341be8ca058960fe6ece3a06391d2e7abae338c108be73d5d4139c59aa52

Download Submit
\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
8ebfbdd0cc4f11031ae1790aee588d90

SHA1
9885dfe203ed646c48219c483213aba75b1cb074

SHA256
b32f9c16d7efbec0c98307f41410a1c997c52f2048c28c82e734b42da7d0988d

SHA512
c3209bf70dfcd1ea40a6acc76859fb7acae9a93bcc343590f215c247d682704b3aac341be8ca058960fe6ece3a06391d2e7abae338c108be73d5d4139c59aa52

Download Submit
\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
8ebfbdd0cc4f11031ae1790aee588d90

SHA1
9885dfe203ed646c48219c483213aba75b1cb074

SHA256
b32f9c16d7efbec0c98307f41410a1c997c52f2048c28c82e734b42da7d0988d

SHA512
c3209bf70dfcd1ea40a6acc76859fb7acae9a93bcc343590f215c247d682704b3aac341be8ca058960fe6ece3a06391d2e7abae338c108be73d5d4139c59aa52

Download Submit
\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
8ebfbdd0cc4f11031ae1790aee588d90

SHA1
9885dfe203ed646c48219c483213aba75b1cb074

SHA256
b32f9c16d7efbec0c98307f41410a1c997c52f2048c28c82e734b42da7d0988d

SHA512
c3209bf70dfcd1ea40a6acc76859fb7acae9a93bcc343590f215c247d682704b3aac341be8ca058960fe6ece3a06391d2e7abae338c108be73d5d4139c59aa52

Download Submit
\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
8ebfbdd0cc4f11031ae1790aee588d90

SHA1
9885dfe203ed646c48219c483213aba75b1cb074

SHA256
b32f9c16d7efbec0c98307f41410a1c997c52f2048c28c82e734b42da7d0988d

SHA512
c3209bf70dfcd1ea40a6acc76859fb7acae9a93bcc343590f215c247d682704b3aac341be8ca058960fe6ece3a06391d2e7abae338c108be73d5d4139c59aa52

Download Submit
\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
8ebfbdd0cc4f11031ae1790aee588d90

SHA1
9885dfe203ed646c48219c483213aba75b1cb074

SHA256
b32f9c16d7efbec0c98307f41410a1c997c52f2048c28c82e734b42da7d0988d

SHA512
c3209bf70dfcd1ea40a6acc76859fb7acae9a93bcc343590f215c247d682704b3aac341be8ca058960fe6ece3a06391d2e7abae338c108be73d5d4139c59aa52

Download Submit
memory/536-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/932-62-0x0000000000000000-mapping.dmp

Download
memory/944-56-0x0000000000000000-mapping.dmp

Download
memory/1816-65-0x0000000000000000-mapping.dmp

Download