f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd

Analysis

max time kernel
4s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd.exe
Size

30KB
MD5

dacab60858c84d529330b9951b4342c6
SHA1

32291cde0ebddfa71fd8d2f226b8fa8ab954b8d2
SHA256

f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd
SHA512

4e00640081f0087420d642baf34353123809e5a9662eee42dd8b533d4b9e3bfc20be09101a14a015b7473d447b6fc7d7996dfb56b9631826f0458d1d49c8bd76
SSDEEP

768:0T4wO+LokS0JARrVibDdPNfLxdGGVRSnZj5gY:UOaqrVSfq55

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1632	asd.exe

Loads dropped DLL 2 IoCs

pid	Process
2008	f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd.exe
2008	f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\asd.exe	f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd.exe
File opened for modification	C:\Windows\SysWOW64\asd.exe	f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd.exe
File created	C:\Windows\SysWOW64\asd.exe	asd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2008	f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd.exe
Token: SeIncBasePriorityPrivilege	1632	asd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1632	2008	f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd.exe	27
PID 2008 wrote to memory of 1632	2008	f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd.exe	27
PID 2008 wrote to memory of 1632	2008	f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd.exe	27
PID 2008 wrote to memory of 1632	2008	f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd.exe	27

C:\Users\Admin\AppData\Local\Temp\f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd.exe
"C:\Users\Admin\AppData\Local\Temp\f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\asd.exe
  "C:\Windows\system32\asd.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\asd.exe > nul
    3⤵
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\F81711~1.EXE > nul
  2⤵
  PID:988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\asd.exe

Filesize
30KB

MD5
dacab60858c84d529330b9951b4342c6

SHA1
32291cde0ebddfa71fd8d2f226b8fa8ab954b8d2

SHA256
f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd

SHA512
4e00640081f0087420d642baf34353123809e5a9662eee42dd8b533d4b9e3bfc20be09101a14a015b7473d447b6fc7d7996dfb56b9631826f0458d1d49c8bd76

Download Submit
C:\Windows\SysWOW64\asd.exe

Filesize
30KB

MD5
dacab60858c84d529330b9951b4342c6

SHA1
32291cde0ebddfa71fd8d2f226b8fa8ab954b8d2

SHA256
f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd

SHA512
4e00640081f0087420d642baf34353123809e5a9662eee42dd8b533d4b9e3bfc20be09101a14a015b7473d447b6fc7d7996dfb56b9631826f0458d1d49c8bd76

Download Submit
\Windows\SysWOW64\asd.exe

Filesize
30KB

MD5
dacab60858c84d529330b9951b4342c6

SHA1
32291cde0ebddfa71fd8d2f226b8fa8ab954b8d2

SHA256
f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd

SHA512
4e00640081f0087420d642baf34353123809e5a9662eee42dd8b533d4b9e3bfc20be09101a14a015b7473d447b6fc7d7996dfb56b9631826f0458d1d49c8bd76

Download Submit
\Windows\SysWOW64\asd.exe

Filesize
30KB

MD5
dacab60858c84d529330b9951b4342c6

SHA1
32291cde0ebddfa71fd8d2f226b8fa8ab954b8d2

SHA256
f81711fedaca0d5dd7d79b39a35ff9b2f5468aad9ef79e5f10c0d37118c299bd

SHA512
4e00640081f0087420d642baf34353123809e5a9662eee42dd8b533d4b9e3bfc20be09101a14a015b7473d447b6fc7d7996dfb56b9631826f0458d1d49c8bd76

Download Submit
memory/1632-57-0x0000000000000000-mapping.dmp

Download
memory/2008-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download