ed684b6619d2af10776e9f6e7e61ee30844d968e72f20754cab58c80c7a489af

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/05/2023, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER #771490168489pdf.exe
Size

384KB
MD5

cfc47b5fcc2b99be88840274a61a2bc7
SHA1

f830e9081ba70c423e5be30ad13fe35cef93c5fb
SHA256

ed684b6619d2af10776e9f6e7e61ee30844d968e72f20754cab58c80c7a489af
SHA512

0bfe069db41fc0c517d650d1e71be9f338602a21c37b458ead5777898544b767de4035830ba72178242fa34bfdd93618be052791667a2d5ebee0048d906b223e
SSDEEP

6144:ugb749Khnw2FYmtcvEll0+xDbEjwj/tl/ylguF5RpZHS+guK3R2NZ:ug/1YmtSEj9bEjSWlguRpw+2Q

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchos.exe.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchos.exe.exe	Powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1056	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	Powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1056	1700	ORDER #771490168489pdf.exe	27
PID 1700 wrote to memory of 1056	1700	ORDER #771490168489pdf.exe	27
PID 1700 wrote to memory of 1056	1700	ORDER #771490168489pdf.exe	27
PID 1700 wrote to memory of 1056	1700	ORDER #771490168489pdf.exe	27
PID 1700 wrote to memory of 336	1700	ORDER #771490168489pdf.exe	29
PID 1700 wrote to memory of 336	1700	ORDER #771490168489pdf.exe	29
PID 1700 wrote to memory of 336	1700	ORDER #771490168489pdf.exe	29
PID 1700 wrote to memory of 336	1700	ORDER #771490168489pdf.exe	29
PID 1700 wrote to memory of 336	1700	ORDER #771490168489pdf.exe	29
PID 1700 wrote to memory of 336	1700	ORDER #771490168489pdf.exe	29
PID 1700 wrote to memory of 336	1700	ORDER #771490168489pdf.exe	29
PID 1700 wrote to memory of 1476	1700	ORDER #771490168489pdf.exe	30
PID 1700 wrote to memory of 1476	1700	ORDER #771490168489pdf.exe	30
PID 1700 wrote to memory of 1476	1700	ORDER #771490168489pdf.exe	30
PID 1700 wrote to memory of 1476	1700	ORDER #771490168489pdf.exe	30
PID 1700 wrote to memory of 1476	1700	ORDER #771490168489pdf.exe	30
PID 1700 wrote to memory of 1476	1700	ORDER #771490168489pdf.exe	30
PID 1700 wrote to memory of 1476	1700	ORDER #771490168489pdf.exe	30
PID 1700 wrote to memory of 588	1700	ORDER #771490168489pdf.exe	31
PID 1700 wrote to memory of 588	1700	ORDER #771490168489pdf.exe	31
PID 1700 wrote to memory of 588	1700	ORDER #771490168489pdf.exe	31
PID 1700 wrote to memory of 588	1700	ORDER #771490168489pdf.exe	31
PID 1700 wrote to memory of 588	1700	ORDER #771490168489pdf.exe	31
PID 1700 wrote to memory of 588	1700	ORDER #771490168489pdf.exe	31
PID 1700 wrote to memory of 588	1700	ORDER #771490168489pdf.exe	31
PID 1700 wrote to memory of 1872	1700	ORDER #771490168489pdf.exe	32
PID 1700 wrote to memory of 1872	1700	ORDER #771490168489pdf.exe	32
PID 1700 wrote to memory of 1872	1700	ORDER #771490168489pdf.exe	32
PID 1700 wrote to memory of 1872	1700	ORDER #771490168489pdf.exe	32
PID 1700 wrote to memory of 1872	1700	ORDER #771490168489pdf.exe	32
PID 1700 wrote to memory of 1872	1700	ORDER #771490168489pdf.exe	32
PID 1700 wrote to memory of 1872	1700	ORDER #771490168489pdf.exe	32
PID 1700 wrote to memory of 1668	1700	ORDER #771490168489pdf.exe	33
PID 1700 wrote to memory of 1668	1700	ORDER #771490168489pdf.exe	33
PID 1700 wrote to memory of 1668	1700	ORDER #771490168489pdf.exe	33
PID 1700 wrote to memory of 1668	1700	ORDER #771490168489pdf.exe	33
PID 1700 wrote to memory of 1668	1700	ORDER #771490168489pdf.exe	33
PID 1700 wrote to memory of 1668	1700	ORDER #771490168489pdf.exe	33
PID 1700 wrote to memory of 1668	1700	ORDER #771490168489pdf.exe	33

C:\Users\Admin\AppData\Local\Temp\ORDER #771490168489pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER #771490168489pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\ORDER #771490168489pdf.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchos.exe.exe'
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-59-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/1056-60-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/1700-54-0x0000000000280000-0x00000000002E6000-memory.dmp

Filesize
408KB

Download
memory/1700-55-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/1700-56-0x0000000000660000-0x00000000006B4000-memory.dmp

Filesize
336KB

Download
memory/1700-61-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download