65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02-10-2023 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rh111.exe
Size

1.9MB
MD5

1b87684768db892932be3f0661c54251
SHA1

e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
SHA256

65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
SHA512

0fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
SSDEEP

24576:jx4Ul0rrIOGz9I6U7AeyGvHynlLghECQl4L529dktxtPCv1ri+J/ac//zWOYopmB:mUl0/2kHW8ECQl4wi+snopp2vQ

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

rh111.exe

pid	Process
388	rh111.exe
388	rh111.exe
388	rh111.exe
388	rh111.exe
388	rh111.exe
388	rh111.exe
388	rh111.exe
388	rh111.exe
388	rh111.exe
388	rh111.exe
388	rh111.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rh111.exe

description	pid	Process
Token: SeDebugPrivilege	388	rh111.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

rh111.exe

description	pid	Process	procid_target
PID 388 wrote to memory of 2016	388	rh111.exe	28
PID 388 wrote to memory of 2016	388	rh111.exe	28
PID 388 wrote to memory of 2016	388	rh111.exe	28
PID 388 wrote to memory of 2016	388	rh111.exe	28
PID 388 wrote to memory of 2420	388	rh111.exe	29
PID 388 wrote to memory of 2420	388	rh111.exe	29
PID 388 wrote to memory of 2420	388	rh111.exe	29
PID 388 wrote to memory of 2420	388	rh111.exe	29
PID 388 wrote to memory of 2428	388	rh111.exe	30
PID 388 wrote to memory of 2428	388	rh111.exe	30
PID 388 wrote to memory of 2428	388	rh111.exe	30
PID 388 wrote to memory of 2428	388	rh111.exe	30
PID 388 wrote to memory of 2228	388	rh111.exe	31
PID 388 wrote to memory of 2228	388	rh111.exe	31
PID 388 wrote to memory of 2228	388	rh111.exe	31
PID 388 wrote to memory of 2228	388	rh111.exe	31
PID 388 wrote to memory of 2444	388	rh111.exe	32
PID 388 wrote to memory of 2444	388	rh111.exe	32
PID 388 wrote to memory of 2444	388	rh111.exe	32
PID 388 wrote to memory of 2444	388	rh111.exe	32
PID 388 wrote to memory of 2452	388	rh111.exe	33
PID 388 wrote to memory of 2452	388	rh111.exe	33
PID 388 wrote to memory of 2452	388	rh111.exe	33
PID 388 wrote to memory of 2452	388	rh111.exe	33
PID 388 wrote to memory of 1756	388	rh111.exe	34
PID 388 wrote to memory of 1756	388	rh111.exe	34
PID 388 wrote to memory of 1756	388	rh111.exe	34
PID 388 wrote to memory of 1756	388	rh111.exe	34
PID 388 wrote to memory of 1060	388	rh111.exe	35
PID 388 wrote to memory of 1060	388	rh111.exe	35
PID 388 wrote to memory of 1060	388	rh111.exe	35
PID 388 wrote to memory of 1060	388	rh111.exe	35
PID 388 wrote to memory of 2832	388	rh111.exe	36
PID 388 wrote to memory of 2832	388	rh111.exe	36
PID 388 wrote to memory of 2832	388	rh111.exe	36
PID 388 wrote to memory of 2832	388	rh111.exe	36
PID 388 wrote to memory of 3020	388	rh111.exe	37
PID 388 wrote to memory of 3020	388	rh111.exe	37
PID 388 wrote to memory of 3020	388	rh111.exe	37
PID 388 wrote to memory of 3020	388	rh111.exe	37

C:\Users\Admin\AppData\Local\Temp\rh111.exe
"C:\Users\Admin\AppData\Local\Temp\rh111.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\rh111.exe
  C:\Users\Admin\AppData\Local\Temp\rh111.exe
  2⤵
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\rh111.exe
  C:\Users\Admin\AppData\Local\Temp\rh111.exe
  2⤵
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\rh111.exe
  C:\Users\Admin\AppData\Local\Temp\rh111.exe
  2⤵
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\rh111.exe
  C:\Users\Admin\AppData\Local\Temp\rh111.exe
  2⤵
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\rh111.exe
  C:\Users\Admin\AppData\Local\Temp\rh111.exe
  2⤵
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\rh111.exe
  C:\Users\Admin\AppData\Local\Temp\rh111.exe
  2⤵
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\rh111.exe
  C:\Users\Admin\AppData\Local\Temp\rh111.exe
  2⤵
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\rh111.exe
  C:\Users\Admin\AppData\Local\Temp\rh111.exe
  2⤵
  PID:1060
- C:\Users\Admin\AppData\Local\Temp\rh111.exe
  C:\Users\Admin\AppData\Local\Temp\rh111.exe
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\rh111.exe
  C:\Users\Admin\AppData\Local\Temp\rh111.exe
  2⤵
  PID:3020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-0-0x00000000002B0000-0x0000000000496000-memory.dmp

Filesize
1.9MB

Download
memory/388-1-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/388-2-0x0000000002100000-0x0000000002178000-memory.dmp

Filesize
480KB

Download
memory/388-3-0x0000000004520000-0x0000000004560000-memory.dmp

Filesize
256KB

Download
memory/388-4-0x00000000044A0000-0x0000000004508000-memory.dmp

Filesize
416KB

Download
memory/388-5-0x00000000004C0000-0x000000000050C000-memory.dmp

Filesize
304KB

Download
memory/388-6-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download