6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1

Analysis

max time kernel
179s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe
Size

272KB
MD5

535ea9be09ed0d576ec450efaea53f80
SHA1

3f0bdb4fca75f19aba28e4608388863fcfcf3488
SHA256

6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1
SHA512

d7696025788397d27ab263ea0facd0371fe5fe2c7ef3a80cfd5b5315bcc9f91c3d0ea897663324786a5b6e90a259b5c21da3f482a2b2ce2f30d19d2ccf5385bf
SSDEEP

6144:HIcUTKTk+bVaOib9c5RMpohpczXm/QRBvN:vk+YBZZpo4zXoChN

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4588	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe
3516	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Fput\Dertlbkxu.jpg	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe
File created	C:\Program Files (x86)\Fput\Dertlbkxu.jpg	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\xinstall1878600.dll	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe
File opened for modification	C:\windows\xinstall1878600.dll	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	4588	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe
Token: SeRestorePrivilege	4588	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe
Token: SeBackupPrivilege	4588	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe
Token: SeRestorePrivilege	4588	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe
Token: SeBackupPrivilege	4588	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe
Token: SeRestorePrivilege	4588	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe
Token: SeBackupPrivilege	4588	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe
Token: SeRestorePrivilege	4588	6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe

C:\Users\Admin\AppData\Local\Temp\6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe
"C:\Users\Admin\AppData\Local\Temp\6f1c5d325834bf2b616d8a07aa7606bdc3a0615702409c12e36701e4e2bfcfd1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k sougou
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fput\Dertlbkxu.jpg

Filesize
9.3MB

MD5
ca04684fd925ed7e2fd54889c940b4ae

SHA1
7f5063c3f73382727231100a389050c7dd251610

SHA256
fbe81f18bd3932cc868d6dc2529f0e23e402eafde5de45d0a04fcfa190cd2b6b

SHA512
e8cd63e0b75817b5b9c89a05a0407c3337f6bb53f8be11179569e358293dc794e45856ade6fbf896ed5d1d1598264980936df7a01499bed65e14ace6c3ee6d90

Download Submit
C:\Windows\xinstall1878600.dll

Filesize
213KB

MD5
52068d7d5ee9b30a59c5cc7d2bcb7654

SHA1
499d1325555def9cc07d65c423a5e4a4c3280f00

SHA256
ffc756d126041471133e58cb79c39170450406005e72d1f9e8bfed3f610921b7

SHA512
3addb34d6a57f13202dfab6f57d1aa9fda74940c22b85447d47c5c8b880e947ec81a0286bba4e6edf005524e3d5a1417e667cd519c2e22baa959e7fc1b0fcb4f

Download Submit
C:\windows\xinstall1878600.dll

Filesize
213KB

MD5
52068d7d5ee9b30a59c5cc7d2bcb7654

SHA1
499d1325555def9cc07d65c423a5e4a4c3280f00

SHA256
ffc756d126041471133e58cb79c39170450406005e72d1f9e8bfed3f610921b7

SHA512
3addb34d6a57f13202dfab6f57d1aa9fda74940c22b85447d47c5c8b880e947ec81a0286bba4e6edf005524e3d5a1417e667cd519c2e22baa959e7fc1b0fcb4f

Download Submit
\??\c:\Win_lj.ini

Filesize
133B

MD5
3934b358950dda29f0e8e7e5f160fa6f

SHA1
eebcc2a7806457c7ea808cbb2fdfc7c6305bad1b

SHA256
f82b41888be91595500f4af05368622339f658be52ed2482d9e4107d7c684a44

SHA512
d6639689b723fc02776972aea0ed0438348bc3f6dbc5a7f75db609948eca10f64c5c505d323f41cb1d82a6a380832f3acfe0a2ddbe043cbdf0d9b2cebb050e55

Download Submit
\??\c:\program files (x86)\fput\dertlbkxu.jpg

Filesize
9.3MB

MD5
ca04684fd925ed7e2fd54889c940b4ae

SHA1
7f5063c3f73382727231100a389050c7dd251610

SHA256
fbe81f18bd3932cc868d6dc2529f0e23e402eafde5de45d0a04fcfa190cd2b6b

SHA512
e8cd63e0b75817b5b9c89a05a0407c3337f6bb53f8be11179569e358293dc794e45856ade6fbf896ed5d1d1598264980936df7a01499bed65e14ace6c3ee6d90

Download Submit
memory/3516-137-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4588-133-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4588-135-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download