c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d

Analysis

max time kernel
34s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe
Size

65KB
MD5

feedc893ce5c9ab8d5e59556d27d541e
SHA1

33546366f26232ca9de23e2e39de4015c9ebd686
SHA256

c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d
SHA512

7ca2bbd7a0773df30c9f2a8dbcf0b50dfe45acc9b3048a1e86d1f6813a8c0352cd02ef3176a1da6ba451d0c40e9da9e4e8b9e80518c492acaac7d2e605120653
SSDEEP

1536:prwwK31e28JNl6d7sdRmoeLOEX+fFXnCeMF:p0w4WlAaRHLEXOFXCeM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1736	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Systen.dll	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe
File opened for modification	C:\Windows\SysWOW64\Systen.dll	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\135048.dll	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe
File created	C:\Windows\140681.bat	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe
File created	C:\Windows\130773.bat	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
368	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe
Token: SeDebugPrivilege	368	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 420	368	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe	3
PID 368 wrote to memory of 912	368	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe	27
PID 368 wrote to memory of 912	368	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe	27
PID 368 wrote to memory of 912	368	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe	27
PID 368 wrote to memory of 912	368	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe	27
PID 368 wrote to memory of 1736	368	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe	29
PID 368 wrote to memory of 1736	368	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe	29
PID 368 wrote to memory of 1736	368	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe	29
PID 368 wrote to memory of 1736	368	c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe	29

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Users\Admin\AppData\Local\Temp\c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe
"C:\Users\Admin\AppData\Local\Temp\c749e55b66e4df3e00b76da1261526a4214559e628e03e798119e7f4e25da87d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\140681.bat
  2⤵
  PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\130773.bat
  2⤵
  - Deletes itself
  PID:1736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\130773.bat

Filesize
259B

MD5
7a71a9a9e6c3cd146540068b5f07ed52

SHA1
1da50bcc3670ff683071f0ab0eb25b4415305adf

SHA256
10120129d108a13e6e084004104501359793b3f50c69bdd9b7114854fdfb78f9

SHA512
85ed2661760658bf791526036d4d13d0fb3a00420a31259dddb1631fa74f6d5795fe187ce0897346c8b5e3a87f0a43197b218b4fd37eac414b84ebff13d04887

Download Submit
C:\Windows\135048.dll

Filesize
127KB

MD5
8d877c1802a298305266ea0aeb92e937

SHA1
91e636ed05f6b0027049ebe255ea6b7e2ce47120

SHA256
0d28b6cde7a03d936cc572e930aa5613538f7169cae53d2a0fd6be9135a0f203

SHA512
bc74500e01fff62ccdb346ed70299d629fa4625fe85b024f82e387963ce28df9d1438ca95c8db291363c5b5324760ee8acc49392f01571fdbba228735f9f8307

Download Submit
C:\Windows\140681.bat

Filesize
97B

MD5
f9f6f586bf62f1b086236cbb7fe607f7

SHA1
c74e961c2030fecf2d027a58542670f22d27b770

SHA256
27f6a25ab376fe1d69d5c523d80703c8d1eaf73a7aea1a58e68f9d6ff46edd05

SHA512
7954ff66510e389b86d2afe632e63835f0556377199656128c4ac300518fe60e77502b40df8c3e8a6f5936ed7395f8dfc2d98f094d16db296b1bc0b0b487472c

Download Submit
memory/368-54-0x0000000000010000-0x000000000004A4C5-memory.dmp

Filesize
233KB

Download
memory/368-55-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/368-59-0x0000000000010000-0x000000000004A4C5-memory.dmp

Filesize
233KB

Download
memory/368-61-0x0000000000010000-0x000000000004A4C5-memory.dmp

Filesize
233KB

Download
memory/912-56-0x0000000000000000-mapping.dmp

Download
memory/1736-60-0x0000000000000000-mapping.dmp

Download