05c3f104d8553b0569df5a34242403bd2738f94433daa52fd52eaaeea57dde03

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

278KB
MD5

39b9b77f950a56b61419c2550c0ee2cf
SHA1

f33b06ec6583025ff1e982bd4b6854fc08785d99
SHA256

05c3f104d8553b0569df5a34242403bd2738f94433daa52fd52eaaeea57dde03
SHA512

204ca9e4112f759d585a2141b8e0ea622b2d392264c0c1b9b83ad3da746480dc3dc89b5c79c0d1be0b6a9c025762ddcf15a17024d02b65cdc8423c356486e74f
SSDEEP

6144:4+gNabwK8yIuE0fVAqc+07zBF7zBSXFsj7dLetJw48:casKrJE0fVy+4BVBSXTJw48

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

main.exe

description pid process

Token: SeDebugPrivilege 828 main.exe

description	pid	process
Token: SeDebugPrivilege	828	main.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

main.execsc.execsc.exe

description	pid	process	target process
PID 828 wrote to memory of 1920	828	main.exe	csc.exe
PID 828 wrote to memory of 1920	828	main.exe	csc.exe
PID 828 wrote to memory of 1920	828	main.exe	csc.exe
PID 828 wrote to memory of 1920	828	main.exe	csc.exe
PID 1920 wrote to memory of 588	1920	csc.exe	cvtres.exe
PID 1920 wrote to memory of 588	1920	csc.exe	cvtres.exe
PID 1920 wrote to memory of 588	1920	csc.exe	cvtres.exe
PID 1920 wrote to memory of 588	1920	csc.exe	cvtres.exe
PID 828 wrote to memory of 1832	828	main.exe	csc.exe
PID 828 wrote to memory of 1832	828	main.exe	csc.exe
PID 828 wrote to memory of 1832	828	main.exe	csc.exe
PID 828 wrote to memory of 1832	828	main.exe	csc.exe
PID 1832 wrote to memory of 996	1832	csc.exe	cvtres.exe
PID 1832 wrote to memory of 996	1832	csc.exe	cvtres.exe
PID 1832 wrote to memory of 996	1832	csc.exe	cvtres.exe
PID 1832 wrote to memory of 996	1832	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kz1spjwx\kz1spjwx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD98.tmp" "c:\Users\Admin\AppData\Local\Temp\kz1spjwx\CSC8948A49B49DB482CAADBDAB19FC88695.TMP"
3⤵
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lsgwkxbn\lsgwkxbn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DA6.tmp" "c:\Users\Admin\AppData\Local\Temp\lsgwkxbn\CSC5A988671654D406D82DE56D9BAFE595.TMP"
3⤵
PID:996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2DA6.tmp
Filesize
1KB

MD5
4992b02ed4304e5a883ec79cc5d0d719

SHA1
7268b181089ee573e93891c443fce5b3a7614e99

SHA256
a0e9960510d5f1311cced17804c096a6ac215cb76dfc02c3949c8e10474bdbf5

SHA512
82d3ec4aa05536f571fc16ab1cc131c4528f29d0b642244ff032fd353da7e5612dbe925f0f4dced8da49d8e3eef565e7f6258053194d1c14442cfb17c00133a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD98.tmp
Filesize
1KB

MD5
e1a357ca97e74aeefd0eb164e137016a

SHA1
253a95aeb69a31eb19083c9cc67f72cba0e5a2bf

SHA256
38f753c015e84d79d70cfa8dc604532f1f885516ed0feee1bc8378c8a2ab1339

SHA512
975a672b2ea575416aa2d86cda9f756e1362a420aa2824eaa437890d7b4296e2dedbcf332e47d2307df61d743cf19ab9b2a5e22fab62ae90458538f066bb9f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\kz1spjwx\kz1spjwx.dll
Filesize
3KB

MD5
0c8c869895cf16acc7a339ba1b69bd25

SHA1
dca364cbc5a114f1f64fdc24686ce36c47c369c1

SHA256
f659e91dcad2df35256eefc050110ac759f4a239df3a02fa17bf07ebbc6d2588

SHA512
b48bde0ded0a86c064b90fedd04e85e0a40865099800976de98ce8e7023192e2a634d1df62f09f1a4a4ea95c58e05ae9d10415ffa502dbc2664034abbb4c466e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsgwkxbn\lsgwkxbn.dll
Filesize
3KB

MD5
cd1914cc4ca0823bc1693105ea44cc75

SHA1
97e952d5ef599fbdea9b3258c28fee2a602e95bc

SHA256
32f1927308dab3ae7f9f97d0610942ed408fc6c834fef59445debf8e1c8b930e

SHA512
409198f39530a584056477a27bd879765625971be412f40a22371dac14f226b1b32e5ca612a793b238398feaf04295a800d9f54af97606ed1f46a16022f2260d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kz1spjwx\CSC8948A49B49DB482CAADBDAB19FC88695.TMP
Filesize
652B

MD5
435d8737ca04cf104438777bd079dbbc

SHA1
5c8686a82790b918c48aa2c83ef4df48bfef7dde

SHA256
31ba82ad46691a42a7bc4810ad7a50997fa25ab4da4ca9d2c5a380503b55d6d4

SHA512
13a0393bced117b15b3fb0e51afe2dd7423cf211562232cb3ae0effe294547b8e70581e0b70d2cc6cdfe6c47b6f31c04484b76788e8bb576e72d320c84c1f252

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kz1spjwx\kz1spjwx.0.cs
Filesize
595B

MD5
63df9e1bfaec1dcccd9e5792db223149

SHA1
a5735e57ce42e22ae519c95027e016d75d0ad2a9

SHA256
93b412153346dd89989ead78cf85039a2b9b81203e887daec875dcd8b307c7d7

SHA512
255773f57a4d8a1bdd3198c03002154cd2297bb95054c6ca0c621f0a2a7ab9d74b0c12575f0eb66d524fae0581587a19377266dcd5ad09ecd8077098b1066c18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kz1spjwx\kz1spjwx.cmdline
Filesize
184B

MD5
6902ca6a636ca34529e69b220d8142a5

SHA1
d6f4fc8a0d2b2b8b10d842bd2188e0682e71f628

SHA256
6f55acb81d764895e9d0d8f27b3b117853b949186ca741089de657464f7e0e8f

SHA512
47f3736a6cfe7444f48be1e1376356e8fab0d15406d115c7c4cb9a9408e156a390d152acc5f88dcb26f1b2ef6b6f6c786cf8ae4212f08d6ed9fc73e71f931f60

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lsgwkxbn\CSC5A988671654D406D82DE56D9BAFE595.TMP
Filesize
652B

MD5
cbc665c65f0127732c3511fd4f4e1d17

SHA1
7c70f827d1e0b737c731b281302695bc76ee2755

SHA256
b2cd836eb678d2ce3369ebdc16e3645f597913831e21c97ae955ffe8bb518823

SHA512
2ab25dc0a584b201b8f95e0f00dc690214f866d72fe96b28efef42ecd3daaeacaab24c84ad5b552e786d6d9be1cef58bf470176d929a5ba4cc32dd0b23c7b9dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lsgwkxbn\lsgwkxbn.0.cs
Filesize
662B

MD5
e120a7f9ead5997e311f68b52dbd2fea

SHA1
7709193f527f62c833aaac70a95e26745574cf2c

SHA256
77f89e8d3e93de832f8a03e36a7883d096330ec8cb12a874339537cdf41def1c

SHA512
4eb92618b176b12af6f417ff44895a71d4663755afd99448cc4384d29f54752817e1d7f82db8023265c5fd9c29fe8aa3216936b0fc2de0d2d5fc316a702c38e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lsgwkxbn\lsgwkxbn.cmdline
Filesize
214B

MD5
e9dfe68df80e7ea240eb5ac859f9dcdf

SHA1
de0832a0efba7c4059a2e6bd9d9fe33b0bac13ae

SHA256
65864a50759587a238ed2bd7b61d9ed569563c7aa50f31f5b9dcf8f79c45d303

SHA512
eda0254aff44f50d6029e321436e0d5586b0b48dc01c4ee38269f475b509a12695241d1b00d162d687913d2ae642523f40443cb19677b58ed1c2037273a6b0ed

Download Submit
memory/828-57-0x0000000004AD0000-0x0000000004B10000-memory.dmp

Filesize
256KB

Download
memory/828-68-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/828-70-0x0000000004AD0000-0x0000000004B10000-memory.dmp

Filesize
256KB

Download
memory/828-56-0x0000000004AD0000-0x0000000004B10000-memory.dmp

Filesize
256KB

Download
memory/828-83-0x0000000004AC0000-0x0000000004AC8000-memory.dmp

Filesize
32KB

Download
memory/828-85-0x00000000055E0000-0x00000000055E8000-memory.dmp

Filesize
32KB

Download
memory/828-86-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download