e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22-09-2023 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Size

1.8MB
MD5

5a636321f800f1bf9d57518b4941ff7d
SHA1

28fc1603a3f60e8e69d2d9ef9e4cefbb9ec80acc
SHA256

e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809
SHA512

72963ec16ac990922819fecf5a9efa637222cf72191a89db948591c39e6378b522f8aa8fd1e4fc574b0e11a018caec8ebf60f2ef4a357a571a2635964349630f
SSDEEP

49152:iS2Pn3RwmTLFndTUP6jFrrcD+Oh+u1LpKt+V1/acwl:MP3R/ThdYP6jFMD+opKt+VRacq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 1	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeCreateTokenPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeAssignPrimaryTokenPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeLockMemoryPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeIncreaseQuotaPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeMachineAccountPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeTcbPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeSecurityPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeTakeOwnershipPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeLoadDriverPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeSystemProfilePrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeSystemtimePrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeProfSingleProcessPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeIncBasePriorityPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeCreatePagefilePrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeCreatePermanentPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeBackupPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeRestorePrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeShutdownPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeDebugPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeAuditPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeSystemEnvironmentPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeChangeNotifyPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeRemoteShutdownPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeUndockPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeSyncAgentPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeEnableDelegationPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeManageVolumePrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeImpersonatePrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: SeCreateGlobalPrivilege	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 31	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 32	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 33	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 34	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 35	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 36	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 37	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 38	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 39	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 40	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 41	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 42	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 43	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 44	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 45	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 46	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 47	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
Token: 48	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2740	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe	28
PID 3064 wrote to memory of 2740	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe	28
PID 3064 wrote to memory of 2740	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe	28
PID 3064 wrote to memory of 2740	3064	e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe	28

C:\Users\Admin\AppData\Local\Temp\e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe
"C:\Users\Admin\AppData\Local\Temp\e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\×ÔÉ±.bat
  2⤵
  - Deletes itself
  PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e09adea92ec37c96e596830fb4ff7cad700348d80054ed93dc38349d190ad809.exe1.exe

Filesize
1.8MB

MD5
93b31aca69a66fa2590542007362718a

SHA1
516cbd90ac5e4801dfdca86557fb155ff197f901

SHA256
36aa345411c0a177dab37c1397932d9930e04f70ffbcba165c469e1b66e2835d

SHA512
302c0061f2b446347e031cded5ab77251208e28a4c63c3f08b955e9607f842346012bb4f5f7b9ea356e13cf2d868d20f1a1866ed4f4c4e614aa6fb8bbec4ce55

Download Submit
C:\Users\Admin\AppData\Local\Temp\×ÔÉ±.bat

Filesize
557B

MD5
bdee6226f845215fc4f3d6a7a54560d5

SHA1
bbc6abbcef94c84fe0e472e5b0345f7dd151e941

SHA256
488ddd4055e406bc1133c650d1bb6b3be2b90b6db17b053e913a93557b576f8b

SHA512
e667a15e7614fd15d5b3e872fbf03abea989d442a15f7d9ec0d4c484787ee34f229cb88dcd21d1f2f2387fa73252cf2f8929e34d251e0b736a1ac476e901b788

Download Submit
C:\Users\Admin\AppData\Local\Temp\×ÔÉ±.bat

Filesize
557B

MD5
bdee6226f845215fc4f3d6a7a54560d5

SHA1
bbc6abbcef94c84fe0e472e5b0345f7dd151e941

SHA256
488ddd4055e406bc1133c650d1bb6b3be2b90b6db17b053e913a93557b576f8b

SHA512
e667a15e7614fd15d5b3e872fbf03abea989d442a15f7d9ec0d4c484787ee34f229cb88dcd21d1f2f2387fa73252cf2f8929e34d251e0b736a1ac476e901b788

Download Submit
memory/3064-0-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3064-1-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3064-2-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3064-4-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/3064-11-0x00000000033B0000-0x00000000034B1000-memory.dmp

Filesize
1.0MB

Download
memory/3064-22-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download