00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2023 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
Size

4.3MB
MD5

91c15e226ab3ff7d132f70bd940d8943
SHA1

cfc580f362c1076515ae85eaf9a48e8e3f82b1bd
SHA256

00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f
SHA512

e177920890694212bcd4672bed5fa9df239cd5be90e239f0c9c6c5324b8657d973a84816adacf76cf789173499513253b955f61dda05fb5fec59833eddebdc3c
SSDEEP

98304:7TCKZIYtbkR7sgWsvM8GAsYHr2D2xVuVxmKOtVVIOKI8m9tXK:7T1ZJbRghUv7CamV8w1RKI1LXK

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe
Token: 33	1516	WMIC.exe
Token: 34	1516	WMIC.exe
Token: 35	1516	WMIC.exe
Token: 36	1516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe
Token: 33	1516	WMIC.exe
Token: 34	1516	WMIC.exe
Token: 35	1516	WMIC.exe
Token: 36	1516	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 2676	3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe	90
PID 3372 wrote to memory of 2676	3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe	90
PID 3372 wrote to memory of 2676	3372	00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe	90
PID 2676 wrote to memory of 1516	2676	cmd.exe	92
PID 2676 wrote to memory of 1516	2676	cmd.exe	92
PID 2676 wrote to memory of 1516	2676	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe
"C:\Users\Admin\AppData\Local\Temp\00541fa7d1cfee528b463252be723b4cf772c22e63dbde307b371e528c50cc4f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\SysWOW64\cmd.exe
  /c wmic diskdrive get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll

Filesize
2.1MB

MD5
c091a823c41bb5bc6c5a1ab6c926504c

SHA1
7b358a9211f8f5e3ce22f38075caf605fc4d2032

SHA256
c58334cb8bd8e7a2c998d0717fff8bacbd873ab949e40a0e5f053dd51b67cca4

SHA512
742ea0c78115f602c16a793d6d34ea97f0ff8bd4fc1ab28b90b7b7a3dc6fe6b921615ce97c0b23839e18f632d8e09f4319052de532dd9d31b70a22f12b7cc68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll

Filesize
2.1MB

MD5
c091a823c41bb5bc6c5a1ab6c926504c

SHA1
7b358a9211f8f5e3ce22f38075caf605fc4d2032

SHA256
c58334cb8bd8e7a2c998d0717fff8bacbd873ab949e40a0e5f053dd51b67cca4

SHA512
742ea0c78115f602c16a793d6d34ea97f0ff8bd4fc1ab28b90b7b7a3dc6fe6b921615ce97c0b23839e18f632d8e09f4319052de532dd9d31b70a22f12b7cc68d

Download Submit
C:\seerdll\GCE.dll

Filesize
67KB

MD5
3b8cc8eaaca02cb308c85c7280852ade

SHA1
5813f4d3f28c00e744856860e2fdda1818f60680

SHA256
cb22ff7b7dc5235a7d749499dcbcbac10047f2fc9568ecdbafefe7b8f7f760c1

SHA512
e1a2b1e595f1099f0b141e33905f050104924c5a6f87b6bb4fc77274441926d826bda035bbfae51bd75d22a207415aca35526270c7005b5545ead636a80e82b0

Download Submit
C:\seerdll\GCE.dll

Filesize
67KB

MD5
3b8cc8eaaca02cb308c85c7280852ade

SHA1
5813f4d3f28c00e744856860e2fdda1818f60680

SHA256
cb22ff7b7dc5235a7d749499dcbcbac10047f2fc9568ecdbafefe7b8f7f760c1

SHA512
e1a2b1e595f1099f0b141e33905f050104924c5a6f87b6bb4fc77274441926d826bda035bbfae51bd75d22a207415aca35526270c7005b5545ead636a80e82b0

Download Submit
C:\seerdll\GCE.dll

Filesize
67KB

MD5
3b8cc8eaaca02cb308c85c7280852ade

SHA1
5813f4d3f28c00e744856860e2fdda1818f60680

SHA256
cb22ff7b7dc5235a7d749499dcbcbac10047f2fc9568ecdbafefe7b8f7f760c1

SHA512
e1a2b1e595f1099f0b141e33905f050104924c5a6f87b6bb4fc77274441926d826bda035bbfae51bd75d22a207415aca35526270c7005b5545ead636a80e82b0

Download Submit
C:\seerdll\GCE.dll

Filesize
67KB

MD5
3b8cc8eaaca02cb308c85c7280852ade

SHA1
5813f4d3f28c00e744856860e2fdda1818f60680

SHA256
cb22ff7b7dc5235a7d749499dcbcbac10047f2fc9568ecdbafefe7b8f7f760c1

SHA512
e1a2b1e595f1099f0b141e33905f050104924c5a6f87b6bb4fc77274441926d826bda035bbfae51bd75d22a207415aca35526270c7005b5545ead636a80e82b0

Download Submit
memory/3372-13075-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13113-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13074-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-0-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13076-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/3372-13071-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13070-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13069-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13094-0x0000000003C90000-0x0000000003CA0000-memory.dmp

Filesize
64KB

Download
memory/3372-5884-0x0000000076F90000-0x000000007700A000-memory.dmp

Filesize
488KB

Download
memory/3372-13098-0x0000000003E60000-0x0000000003E78000-memory.dmp

Filesize
96KB

Download
memory/3372-13099-0x0000000072EA0000-0x0000000072EB8000-memory.dmp

Filesize
96KB

Download
memory/3372-3875-0x0000000075AE0000-0x0000000075C80000-memory.dmp

Filesize
1.6MB

Download
memory/3372-13100-0x00000000725F0000-0x0000000072DA0000-memory.dmp

Filesize
7.7MB

Download
memory/3372-1-0x0000000075E30000-0x0000000076045000-memory.dmp

Filesize
2.1MB

Download
memory/3372-13072-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13115-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13122-0x0000000003C90000-0x0000000003CA0000-memory.dmp

Filesize
64KB

Download
memory/3372-13123-0x00000000725F0000-0x0000000072DA0000-memory.dmp

Filesize
7.7MB

Download
memory/3372-13135-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13144-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13145-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13146-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13156-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13157-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13158-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13167-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13168-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13169-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13170-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13171-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download
memory/3372-13172-0x0000000000400000-0x0000000000A7F000-memory.dmp

Filesize
6.5MB

Download