eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135

Analysis

max time kernel
82s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135.exe
Size

146KB
MD5

82e6ceae0f6ef093e05b6ce49020e7a4
SHA1

344dee197461b500c59a32bb2c401b8f15e550b1
SHA256

eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135
SHA512

a6e0b7abbd9593c1841b7aed2d3d313340313f3d7b91c5588bad9a5ef8a6dfb1021991f34ec4e829c02c4134930f78fca0aee9d2315aa06598c507c64e60a240
SSDEEP

3072:wPQt3aMxzd3o9fUPHC56IXsLkce6p23CskJXljt/wOl2RkJdoGTIcI:wPhaCEHpMGljt/RYkLBw

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\┼Σ╓├╨┼╧ó.txt	cmd.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1052	taskkill.exe
1924	taskkill.exe
1772	taskkill.exe
1500	taskkill.exe
1192	taskkill.exe
1768	taskkill.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1700	1536	eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135.exe	28
PID 1536 wrote to memory of 1700	1536	eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135.exe	28
PID 1536 wrote to memory of 1700	1536	eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135.exe	28
PID 1536 wrote to memory of 1700	1536	eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135.exe	28
PID 1700 wrote to memory of 1052	1700	cmd.exe	30
PID 1700 wrote to memory of 1052	1700	cmd.exe	30
PID 1700 wrote to memory of 1052	1700	cmd.exe	30
PID 1700 wrote to memory of 1052	1700	cmd.exe	30
PID 1700 wrote to memory of 1924	1700	cmd.exe	32
PID 1700 wrote to memory of 1924	1700	cmd.exe	32
PID 1700 wrote to memory of 1924	1700	cmd.exe	32
PID 1700 wrote to memory of 1924	1700	cmd.exe	32
PID 1700 wrote to memory of 1772	1700	cmd.exe	33
PID 1700 wrote to memory of 1772	1700	cmd.exe	33
PID 1700 wrote to memory of 1772	1700	cmd.exe	33
PID 1700 wrote to memory of 1772	1700	cmd.exe	33
PID 1700 wrote to memory of 1500	1700	cmd.exe	34
PID 1700 wrote to memory of 1500	1700	cmd.exe	34
PID 1700 wrote to memory of 1500	1700	cmd.exe	34
PID 1700 wrote to memory of 1500	1700	cmd.exe	34
PID 1700 wrote to memory of 1192	1700	cmd.exe	35
PID 1700 wrote to memory of 1192	1700	cmd.exe	35
PID 1700 wrote to memory of 1192	1700	cmd.exe	35
PID 1700 wrote to memory of 1192	1700	cmd.exe	35
PID 1700 wrote to memory of 1768	1700	cmd.exe	36
PID 1700 wrote to memory of 1768	1700	cmd.exe	36
PID 1700 wrote to memory of 1768	1700	cmd.exe	36
PID 1700 wrote to memory of 1768	1700	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135.exe
"C:\Users\Admin\AppData\Local\Temp\eebd455e5228d356cf78ddc79ec3f0a0ff5dd77f5cdaa6ba9508268eaf7ed135.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt1651.bat
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ecplor*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rpstat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im npver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im setup.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spoolsv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1768

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bt1651.bat

Filesize
504B

MD5
b2ae7735031c2db845aee3231c28f607

SHA1
0fc7f68a282715546f45de37db2d27424c690db0

SHA256
4135696da8b0211576842a030b2682d5d8938ced79d07752756752fa90988830

SHA512
f904c214db324052b0248b74881e2079438a49d972eb4227a14d09de6b0989cedd1644f0cd230cd2b00d0bd1bee5191def4ba921158c87f10b7b95f02a88f4e6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads