eb6dc51b5d01fe5a71396dec0b9dd4cc3fc99c87ad583cccbad68277cfea3a5f

Analysis

max time kernel
149s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-02-2023 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe
Size

15KB
MD5

2f1890f0f4e8eb63aba1ef8a0441d9a4
SHA1

f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b
SHA256

eb6dc51b5d01fe5a71396dec0b9dd4cc3fc99c87ad583cccbad68277cfea3a5f
SHA512

f0fe3cc07a37c2623972e53ae567a8b49f59851fb6ec71d9bc1f42ff03786639ba3d07c42c4688759b37a2646629e090d98a577caf2db3a7fa11eb366bc0ab48
SSDEEP

384:KO1YzXQ+c25qyI/W8QXCt2L0oYybKUyVw59HtY0fuV6:hYzgtLyI/kCwL0oYrUyV29HtTuk

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msosfmsq00.dll	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe
File opened for modification	C:\Windows\SysWOW64\msosfmsq00.dll	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe
1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	services.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 260	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	26
PID 1356 wrote to memory of 260	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	26
PID 1356 wrote to memory of 260	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	26
PID 1356 wrote to memory of 260	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	26
PID 1356 wrote to memory of 260	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	26
PID 1356 wrote to memory of 332	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	25
PID 1356 wrote to memory of 332	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	25
PID 1356 wrote to memory of 332	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	25
PID 1356 wrote to memory of 332	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	25
PID 1356 wrote to memory of 332	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	25
PID 1356 wrote to memory of 368	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	24
PID 1356 wrote to memory of 368	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	24
PID 1356 wrote to memory of 368	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	24
PID 1356 wrote to memory of 368	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	24
PID 1356 wrote to memory of 368	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	24
PID 1356 wrote to memory of 380	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	23
PID 1356 wrote to memory of 380	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	23
PID 1356 wrote to memory of 380	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	23
PID 1356 wrote to memory of 380	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	23
PID 1356 wrote to memory of 380	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	23
PID 1356 wrote to memory of 416	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	22
PID 1356 wrote to memory of 416	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	22
PID 1356 wrote to memory of 416	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	22
PID 1356 wrote to memory of 416	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	22
PID 1356 wrote to memory of 416	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	22
PID 1356 wrote to memory of 460	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	21
PID 1356 wrote to memory of 460	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	21
PID 1356 wrote to memory of 460	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	21
PID 1356 wrote to memory of 460	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	21
PID 1356 wrote to memory of 460	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	21
PID 1356 wrote to memory of 476	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	20
PID 1356 wrote to memory of 476	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	20
PID 1356 wrote to memory of 476	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	20
PID 1356 wrote to memory of 476	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	20
PID 1356 wrote to memory of 476	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	20
PID 1356 wrote to memory of 484	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	19
PID 1356 wrote to memory of 484	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	19
PID 1356 wrote to memory of 484	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	19
PID 1356 wrote to memory of 484	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	19
PID 1356 wrote to memory of 484	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	19
PID 1356 wrote to memory of 600	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	18
PID 1356 wrote to memory of 600	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	18
PID 1356 wrote to memory of 600	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	18
PID 1356 wrote to memory of 600	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	18
PID 1356 wrote to memory of 600	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	18
PID 1356 wrote to memory of 676	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	17
PID 1356 wrote to memory of 676	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	17
PID 1356 wrote to memory of 676	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	17
PID 1356 wrote to memory of 676	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	17
PID 1356 wrote to memory of 676	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	17
PID 1356 wrote to memory of 760	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	16
PID 1356 wrote to memory of 760	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	16
PID 1356 wrote to memory of 760	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	16
PID 1356 wrote to memory of 760	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	16
PID 1356 wrote to memory of 760	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	16
PID 1356 wrote to memory of 808	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	15
PID 1356 wrote to memory of 808	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	15
PID 1356 wrote to memory of 808	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	15
PID 1356 wrote to memory of 808	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	15
PID 1356 wrote to memory of 808	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	15
PID 1356 wrote to memory of 852	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	14
PID 1356 wrote to memory of 852	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	14
PID 1356 wrote to memory of 852	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	14
PID 1356 wrote to memory of 852	1356	f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe	14

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:324
- C:\Windows\system32\wininit.exe
  wininit.exe
  2⤵
  PID:368
- C:\Windows\system32\csrss.exe
  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
  2⤵
  PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:600

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:460

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Users\Admin\AppData\Local\Temp\f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe
"C:\Users\Admin\AppData\Local\Temp\f031f0ee76ad6d3e84055cbfc2f47a97ea009f3b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\tmpEF60.tmp

Filesize
10KB

MD5
2e25bb2d017158d57ded98af057d4053

SHA1
ffce00972b527ebed3fda8d7b60087b770b260d0

SHA256
1006a0ddd9200801c35887dfa8e599a9fd77480067ba5958f4701ca6f318a8d1

SHA512
294f3d3e603218bcafec7363d72ac2a751ada2f483584bd486de242cda326755d90b6e4cc9de1a483a519f59cfb411c5a101d7e3ef02e1a9143dbc6c4aa538a8

Download Submit
memory/1356-55-0x0000000010000000-0x0000000010029000-memory.dmp

Filesize
164KB

Download