97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6

Analysis

max time kernel
137s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2023 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Size

5.5MB
MD5

61d3d59b2100d946004fa9e602ad407f
SHA1

1d81b2ac332e2cf1c1f818b7c63022c5fddaa305
SHA256

97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6
SHA512

67fadfad2eb3fc60926c2e2311dec194106298e11431b5e51277c619d7fd3bb88581dd49b2bae908ca584f1764779dbcc1c51b882e34872030958c4f7866813b
SSDEEP

98304:skmcbYRPjxOSEMXfkcFX35PkfmDp4KHK23s7NNi+EGWyS47hD6zV3OXfPtZrwJt9:sXRPjxrqcFZIkpy23sBN1Eb4O1OXdlwp

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM32\mscoree.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\ole32.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\windows.storage.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\SspiCli.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\CRYPTBASE.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\GDI32.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\SHCORE.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\profapi.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\ucrtbase_clr0400.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\system32\rsaenh.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\win32u.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\apphelp.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\MSVCP140_CLR0400.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\imagehlp.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\user32.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\IMM32.DLL	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\shlwapi.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\system32\uxtheme.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\SHFolder.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\dwrite.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\advapi32.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\shell32.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\psapi.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\Wldp.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\sechost.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\kernel.appcore.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\SYSTEM32\CRYPTSP.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\bcrypt.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\System32\combase.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\a53ad49dbc5bbde06bec853bb1d4ab73\PresentationFramework.ni.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\7372c76325e4265046715460fae96ff8\System.Xml.ni.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System\3c22c13412b49e04ae306a2aa7768c12\System.ni.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\eaeb6a67061f4e471cdd1c9e023f4e58\PresentationFramework.Aero2.ni.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\9f1384ea928c337294ff4b399659933b\System.Core.ni.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\38723334b442a01b9ad141826b7b3036\WindowsBase.ni.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\d182a3c6e8e7b5a8d7b7070466afefd8\PresentationCore.ni.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xaml\2d47be389d3d350097ee409b771ba1bf\System.Xaml.ni.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationNative_v0400.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\dd3156eef1bb1556bc78b02b7fb822c1\System.Configuration.ni.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\5c1b7b73113a6f079ae59ad2eb210951\mscorlib.ni.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\comctl32.dll	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: SeLoadDriverPrivilege	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: SeCreateGlobalPrivilege	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: SeLockMemoryPrivilege	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: 33	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: SeSecurityPrivilege	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: SeTakeOwnershipPrivilege	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: SeManageVolumePrivilege	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: SeBackupPrivilege	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: SeCreatePagefilePrivilege	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: SeShutdownPrivilege	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: SeRestorePrivilege	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: 33	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
Token: SeIncBasePriorityPrivilege	3184	97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe

C:\Users\Admin\AppData\Local\Temp\97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe
"C:\Users\Admin\AppData\Local\Temp\97795c68104a229e68b2d0167730977b6e884a3550eb1dacc49701455c32bfa6.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evbB0B3.tmp

Filesize
1KB

MD5
343665b565815965b4abe78c1e23f81f

SHA1
011d0ead1ceda8c22d76d0dc8569f52def9228a8

SHA256
98dfdbc36a602969c70512aa7cb4ed0943ea099d7d44e35948f466b5cedd6b2c

SHA512
e930919764721a2011bb1d49cb7d59c859c5b720082f1c38c54e1d07627ad0d2ca30814a1a2c3ea03a7a17738aff98772ec13c206ffe4ae8e21d40c2eaeb4228

Download Submit
memory/3184-14-0x0000000110000000-0x0000000110341000-memory.dmp

Filesize
3.3MB

Download
memory/3184-43-0x00007FF4E7C50000-0x00007FF4E8021000-memory.dmp

Filesize
3.8MB

Download
memory/3184-4-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp

Filesize
2.0MB

Download
memory/3184-3-0x0000000000680000-0x0000000001602000-memory.dmp

Filesize
15.5MB

Download
memory/3184-5-0x0000000000680000-0x0000000001602000-memory.dmp

Filesize
15.5MB

Download
memory/3184-6-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp

Filesize
2.0MB

Download
memory/3184-7-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp

Filesize
2.0MB

Download
memory/3184-8-0x0000000000680000-0x0000000001602000-memory.dmp

Filesize
15.5MB

Download
memory/3184-9-0x00007FF9D01B0000-0x00007FF9D01C0000-memory.dmp

Filesize
64KB

Download
memory/3184-10-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp

Filesize
2.0MB

Download
memory/3184-11-0x00007FFA4FF70000-0x00007FFA4FF80000-memory.dmp

Filesize
64KB

Download
memory/3184-1-0x00007FF4E7C50000-0x00007FF4E8021000-memory.dmp

Filesize
3.8MB

Download
memory/3184-45-0x00007FFA32640000-0x00007FFA33101000-memory.dmp

Filesize
10.8MB

Download
memory/3184-2-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp

Filesize
2.0MB

Download
memory/3184-31-0x0000023FA58E0000-0x0000023FA58E8000-memory.dmp

Filesize
32KB

Download
memory/3184-24-0x0000023FBFD90000-0x0000023FBFDA0000-memory.dmp

Filesize
64KB

Download
memory/3184-29-0x0000000001610000-0x0000000001620000-memory.dmp

Filesize
64KB

Download
memory/3184-30-0x0000023FC0280000-0x0000023FC0354000-memory.dmp

Filesize
848KB

Download
memory/3184-18-0x0000023FBFD90000-0x0000023FBFDA0000-memory.dmp

Filesize
64KB

Download
memory/3184-32-0x0000023FBFD50000-0x0000023FBFD88000-memory.dmp

Filesize
224KB

Download
memory/3184-33-0x0000023FA58F0000-0x0000023FA58FE000-memory.dmp

Filesize
56KB

Download
memory/3184-40-0x0000000001620000-0x000000000163A000-memory.dmp

Filesize
104KB

Download
memory/3184-38-0x0000023FBFD90000-0x0000023FBFDA0000-memory.dmp

Filesize
64KB

Download
memory/3184-41-0x0000000000680000-0x0000000001602000-memory.dmp

Filesize
15.5MB

Download
memory/3184-42-0x00007FFA4FFB0000-0x00007FFA501A5000-memory.dmp

Filesize
2.0MB

Download
memory/3184-0-0x0000000000680000-0x0000000001602000-memory.dmp

Filesize
15.5MB

Download
memory/3184-44-0x0000000110000000-0x0000000110341000-memory.dmp

Filesize
3.3MB

Download
memory/3184-15-0x00007FFA32640000-0x00007FFA33101000-memory.dmp

Filesize
10.8MB

Download