696549d677bef818b1c57493c5846bbba07a7bc94052e72c0b6411f6923c25ac

Analysis

max time kernel
217s
max time network
234s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 12:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

696549d677bef818b1c57493c5846bbba07a7bc94052e72c0b6411f6923c25ac.exe
Size

221KB
MD5

a314b83cbc975dfdd9ba6e3919d3e9ad
SHA1

b343539030516d306fc09963ad064d23cf21e4f4
SHA256

696549d677bef818b1c57493c5846bbba07a7bc94052e72c0b6411f6923c25ac
SHA512

d6b28204fd19bccaa935d1a154f020e57dff1c5c7a31e168e8ff906cd74bcf59e14b476c7f80462f3cdf91b4f0600af88a25aa061991e1a6dc778afae72f6745
SSDEEP

3072:1abTCnMqM5G06eReDTH0TsJyfIiXgUPl7VqP5MU8JqEhQ0jxjVpPbEBv6:1iTwxKaH2sJyfd/YRMU8he0jJPgE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4644	pro.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4060	WMIC.exe
Token: SeSecurityPrivilege	4060	WMIC.exe
Token: SeTakeOwnershipPrivilege	4060	WMIC.exe
Token: SeLoadDriverPrivilege	4060	WMIC.exe
Token: SeSystemProfilePrivilege	4060	WMIC.exe
Token: SeSystemtimePrivilege	4060	WMIC.exe
Token: SeProfSingleProcessPrivilege	4060	WMIC.exe
Token: SeIncBasePriorityPrivilege	4060	WMIC.exe
Token: SeCreatePagefilePrivilege	4060	WMIC.exe
Token: SeBackupPrivilege	4060	WMIC.exe
Token: SeRestorePrivilege	4060	WMIC.exe
Token: SeShutdownPrivilege	4060	WMIC.exe
Token: SeDebugPrivilege	4060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4060	WMIC.exe
Token: SeRemoteShutdownPrivilege	4060	WMIC.exe
Token: SeUndockPrivilege	4060	WMIC.exe
Token: SeManageVolumePrivilege	4060	WMIC.exe
Token: 33	4060	WMIC.exe
Token: 34	4060	WMIC.exe
Token: 35	4060	WMIC.exe
Token: 36	4060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4060	WMIC.exe
Token: SeSecurityPrivilege	4060	WMIC.exe
Token: SeTakeOwnershipPrivilege	4060	WMIC.exe
Token: SeLoadDriverPrivilege	4060	WMIC.exe
Token: SeSystemProfilePrivilege	4060	WMIC.exe
Token: SeSystemtimePrivilege	4060	WMIC.exe
Token: SeProfSingleProcessPrivilege	4060	WMIC.exe
Token: SeIncBasePriorityPrivilege	4060	WMIC.exe
Token: SeCreatePagefilePrivilege	4060	WMIC.exe
Token: SeBackupPrivilege	4060	WMIC.exe
Token: SeRestorePrivilege	4060	WMIC.exe
Token: SeShutdownPrivilege	4060	WMIC.exe
Token: SeDebugPrivilege	4060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4060	WMIC.exe
Token: SeRemoteShutdownPrivilege	4060	WMIC.exe
Token: SeUndockPrivilege	4060	WMIC.exe
Token: SeManageVolumePrivilege	4060	WMIC.exe
Token: 33	4060	WMIC.exe
Token: 34	4060	WMIC.exe
Token: 35	4060	WMIC.exe
Token: 36	4060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1792	WMIC.exe
Token: SeSecurityPrivilege	1792	WMIC.exe
Token: SeTakeOwnershipPrivilege	1792	WMIC.exe
Token: SeLoadDriverPrivilege	1792	WMIC.exe
Token: SeSystemProfilePrivilege	1792	WMIC.exe
Token: SeSystemtimePrivilege	1792	WMIC.exe
Token: SeProfSingleProcessPrivilege	1792	WMIC.exe
Token: SeIncBasePriorityPrivilege	1792	WMIC.exe
Token: SeCreatePagefilePrivilege	1792	WMIC.exe
Token: SeBackupPrivilege	1792	WMIC.exe
Token: SeRestorePrivilege	1792	WMIC.exe
Token: SeShutdownPrivilege	1792	WMIC.exe
Token: SeDebugPrivilege	1792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1792	WMIC.exe
Token: SeRemoteShutdownPrivilege	1792	WMIC.exe
Token: SeUndockPrivilege	1792	WMIC.exe
Token: SeManageVolumePrivilege	1792	WMIC.exe
Token: 33	1792	WMIC.exe
Token: 34	1792	WMIC.exe
Token: 35	1792	WMIC.exe
Token: 36	1792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1792	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4644	4616	696549d677bef818b1c57493c5846bbba07a7bc94052e72c0b6411f6923c25ac.exe	89
PID 4616 wrote to memory of 4644	4616	696549d677bef818b1c57493c5846bbba07a7bc94052e72c0b6411f6923c25ac.exe	89
PID 4616 wrote to memory of 4644	4616	696549d677bef818b1c57493c5846bbba07a7bc94052e72c0b6411f6923c25ac.exe	89
PID 4644 wrote to memory of 3996	4644	pro.exe	91
PID 4644 wrote to memory of 3996	4644	pro.exe	91
PID 4644 wrote to memory of 3996	4644	pro.exe	91
PID 3996 wrote to memory of 4060	3996	cmd.exe	94
PID 3996 wrote to memory of 4060	3996	cmd.exe	94
PID 3996 wrote to memory of 4060	3996	cmd.exe	94
PID 4644 wrote to memory of 1088	4644	pro.exe	102
PID 4644 wrote to memory of 1088	4644	pro.exe	102
PID 4644 wrote to memory of 1088	4644	pro.exe	102
PID 1088 wrote to memory of 1792	1088	cmd.exe	104
PID 1088 wrote to memory of 1792	1088	cmd.exe	104
PID 1088 wrote to memory of 1792	1088	cmd.exe	104
PID 4644 wrote to memory of 4596	4644	pro.exe	105
PID 4644 wrote to memory of 4596	4644	pro.exe	105
PID 4644 wrote to memory of 4596	4644	pro.exe	105
PID 4596 wrote to memory of 1500	4596	cmd.exe	107
PID 4596 wrote to memory of 1500	4596	cmd.exe	107
PID 4596 wrote to memory of 1500	4596	cmd.exe	107
PID 4644 wrote to memory of 3372	4644	pro.exe	109
PID 4644 wrote to memory of 3372	4644	pro.exe	109
PID 4644 wrote to memory of 3372	4644	pro.exe	109
PID 3372 wrote to memory of 112	3372	cmd.exe	110
PID 3372 wrote to memory of 112	3372	cmd.exe	110
PID 3372 wrote to memory of 112	3372	cmd.exe	110
PID 4644 wrote to memory of 2124	4644	pro.exe	111
PID 4644 wrote to memory of 2124	4644	pro.exe	111
PID 4644 wrote to memory of 2124	4644	pro.exe	111
PID 2124 wrote to memory of 4636	2124	cmd.exe	113
PID 2124 wrote to memory of 4636	2124	cmd.exe	113
PID 2124 wrote to memory of 4636	2124	cmd.exe	113
PID 4644 wrote to memory of 3892	4644	pro.exe	114
PID 4644 wrote to memory of 3892	4644	pro.exe	114
PID 4644 wrote to memory of 3892	4644	pro.exe	114
PID 3892 wrote to memory of 5052	3892	cmd.exe	116
PID 3892 wrote to memory of 5052	3892	cmd.exe	116
PID 3892 wrote to memory of 5052	3892	cmd.exe	116
PID 4644 wrote to memory of 852	4644	pro.exe	117
PID 4644 wrote to memory of 852	4644	pro.exe	117
PID 4644 wrote to memory of 852	4644	pro.exe	117
PID 852 wrote to memory of 4980	852	cmd.exe	119
PID 852 wrote to memory of 4980	852	cmd.exe	119
PID 852 wrote to memory of 4980	852	cmd.exe	119
PID 4644 wrote to memory of 2284	4644	pro.exe	121
PID 4644 wrote to memory of 2284	4644	pro.exe	121
PID 4644 wrote to memory of 2284	4644	pro.exe	121
PID 2284 wrote to memory of 3340	2284	cmd.exe	123
PID 2284 wrote to memory of 3340	2284	cmd.exe	123
PID 2284 wrote to memory of 3340	2284	cmd.exe	123
PID 4644 wrote to memory of 4584	4644	pro.exe	124
PID 4644 wrote to memory of 4584	4644	pro.exe	124
PID 4644 wrote to memory of 4584	4644	pro.exe	124
PID 4584 wrote to memory of 4400	4584	cmd.exe	126
PID 4584 wrote to memory of 4400	4584	cmd.exe	126
PID 4584 wrote to memory of 4400	4584	cmd.exe	126
PID 4644 wrote to memory of 4956	4644	pro.exe	127
PID 4644 wrote to memory of 4956	4644	pro.exe	127
PID 4644 wrote to memory of 4956	4644	pro.exe	127
PID 4956 wrote to memory of 1368	4956	cmd.exe	129
PID 4956 wrote to memory of 1368	4956	cmd.exe	129
PID 4956 wrote to memory of 1368	4956	cmd.exe	129
PID 4644 wrote to memory of 4444	4644	pro.exe	130

C:\Users\Admin\AppData\Local\Temp\696549d677bef818b1c57493c5846bbba07a7bc94052e72c0b6411f6923c25ac.exe
"C:\Users\Admin\AppData\Local\Temp\696549d677bef818b1c57493c5846bbba07a7bc94052e72c0b6411f6923c25ac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Public\pro.exe
  "C:\Users\Public\pro.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='360safe.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='360safe.exe'" get ExecutablePath
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='360tray.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='360tray.exe'" get ExecutablePath
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
      4⤵
      PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='HipsTray.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='HipsTray.exe'" get ExecutablePath
      4⤵
      PID:112
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='HipsDaemon.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='HipsDaemon.exe'" get ExecutablePath
      4⤵
      PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kislive.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kislive.exe'" get ExecutablePath
      4⤵
      PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kwsprotect64.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kwsprotect64.exe'" get ExecutablePath
      4⤵
      PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxecenter.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxecenter.exe'" get ExecutablePath
      4⤵
      PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxescore.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxescore.exe'" get ExecutablePath
      4⤵
      PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxetray.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxetray.exe'" get ExecutablePath
      4⤵
      PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='SecurityHealthSystray.exe'" get ExecutablePath
    3⤵
    PID:4444
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='SecurityHealthSystray.exe'" get ExecutablePath
      4⤵
      PID:1448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\pro.exe

Filesize
221KB

MD5
a314b83cbc975dfdd9ba6e3919d3e9ad

SHA1
b343539030516d306fc09963ad064d23cf21e4f4

SHA256
696549d677bef818b1c57493c5846bbba07a7bc94052e72c0b6411f6923c25ac

SHA512
d6b28204fd19bccaa935d1a154f020e57dff1c5c7a31e168e8ff906cd74bcf59e14b476c7f80462f3cdf91b4f0600af88a25aa061991e1a6dc778afae72f6745

Download Submit
memory/4616-0-0x0000000000100000-0x000000000013C000-memory.dmp

Filesize
240KB

Download
memory/4616-6-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/4616-12-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/4616-15-0x0000000000100000-0x000000000013C000-memory.dmp

Filesize
240KB

Download
memory/4616-16-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/4644-22-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/4644-23-0x00000000009A0000-0x00000000009DC000-memory.dmp

Filesize
240KB

Download
memory/4644-24-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads