e9b52b00b032679dcfeef69d208f202137a728f713c5d04c1f439c7138cf26b7

Analysis

max time kernel
405s
max time network
408s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07-07-2023 10:43

Target

16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe
Size

1.3MB
MD5

658658a15dba58037d7fcc138a498e19
SHA1

0dc27e7ed4fe55da04aeaca909ab256ff0b2ae84
SHA256

16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c
SHA512

34b9770c83ace4a5a4270486f18ad896be22fd93d1ed910a8bce3e930401213b455e51f3f2fd1ebd71fe04049b2ad01d5e79c8a47164e0bf38e202951e2a3832
SSDEEP

24576:J/zlUFcWcyCL1yrtSAzSpNjtnAHcnQO/k:JicyCZKtzSpNRoO8

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
464	Process not Found
316	alg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3040	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 3064	3040	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe	28
PID 3040 wrote to memory of 3064	3040	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe	28
PID 3040 wrote to memory of 3064	3040	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe	28
PID 3040 wrote to memory of 3064	3040	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe	28
PID 3040 wrote to memory of 3064	3040	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe	28
PID 3040 wrote to memory of 3064	3040	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe	28
PID 3040 wrote to memory of 3064	3040	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe	28

C:\Users\Admin\AppData\Local\Temp\16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe
"C:\Users\Admin\AppData\Local\Temp\16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe
  -deleter
  2⤵
  PID:3064

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
367dcfc7d335f7892fd00664a940a7a1

SHA1
91ccb82b26dd3c530f283ddc37838244b4b2ead5

SHA256
7355fe78c6198db3a871185a73cff270736c8a8766cabece45d1c209e3aa74bb

SHA512
52e28d031f1875c78a24d5062e9f9f1f099fd11f00e9351e1c704b73756886d7cdeed71eae565c270a198b8c1dc3ac5a610b5ddcefa8b529bad7517de053948a

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
367dcfc7d335f7892fd00664a940a7a1

SHA1
91ccb82b26dd3c530f283ddc37838244b4b2ead5

SHA256
7355fe78c6198db3a871185a73cff270736c8a8766cabece45d1c209e3aa74bb

SHA512
52e28d031f1875c78a24d5062e9f9f1f099fd11f00e9351e1c704b73756886d7cdeed71eae565c270a198b8c1dc3ac5a610b5ddcefa8b529bad7517de053948a

Download Submit
memory/316-79-0x0000000100000000-0x00000001001FB000-memory.dmp

Filesize
2.0MB

Download
memory/3040-54-0x0000000000B80000-0x0000000000BE6000-memory.dmp

Filesize
408KB

Download
memory/3040-59-0x0000000000B80000-0x0000000000BE6000-memory.dmp

Filesize
408KB

Download
memory/3040-78-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3064-63-0x0000000000A20000-0x0000000000A86000-memory.dmp

Filesize
408KB

Download
memory/3064-68-0x0000000000A20000-0x0000000000A86000-memory.dmp

Filesize
408KB

Download
memory/3064-75-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download