bc917c4424c078290c3cbbb13e5f2f9c2939222d058d70056688718ae33e13a9

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pw-free-online.exe
Size

3.1MB
MD5

b00f4ef87125599ae72def4555e48175
SHA1

8b1073b0cec1d85a6ca39842e43c8a9f49526953
SHA256

bc917c4424c078290c3cbbb13e5f2f9c2939222d058d70056688718ae33e13a9
SHA512

d4f8f6d52a25f4977d7d812696f92dc6d72410b0675658b3c143f255f2b7313ffe904752778a9e17992477f5e9102cc81f6d68858be3f1db96ae4d109ebf80a0
SSDEEP

98304:UkL2991YngbfnLTccGEE7kc7EF2DKlVcu/xI9Gu1:j2991OgDtQIc7E4Wcu/xI911

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	pw-free-online.tmp

Loads dropped DLL 1 IoCs

pid	Process
2612	pw-free-online.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2656	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2720	pw-free-online.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2720	2612	pw-free-online.exe	28
PID 2612 wrote to memory of 2720	2612	pw-free-online.exe	28
PID 2612 wrote to memory of 2720	2612	pw-free-online.exe	28
PID 2612 wrote to memory of 2720	2612	pw-free-online.exe	28
PID 2612 wrote to memory of 2720	2612	pw-free-online.exe	28
PID 2612 wrote to memory of 2720	2612	pw-free-online.exe	28
PID 2612 wrote to memory of 2720	2612	pw-free-online.exe	28
PID 2720 wrote to memory of 2656	2720	pw-free-online.tmp	29
PID 2720 wrote to memory of 2656	2720	pw-free-online.tmp	29
PID 2720 wrote to memory of 2656	2720	pw-free-online.tmp	29
PID 2720 wrote to memory of 2656	2720	pw-free-online.tmp	29

C:\Users\Admin\AppData\Local\Temp\pw-free-online.exe
"C:\Users\Admin\AppData\Local\Temp\pw-free-online.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\is-0KH0G.tmp\pw-free-online.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0KH0G.tmp\pw-free-online.tmp" /SL5="$50150,2294223,1148928,C:\Users\Admin\AppData\Local\Temp\pw-free-online.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /f /im "updatechecker.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0KH0G.tmp\pw-free-online.tmp

Filesize
3.3MB

MD5
38088568f4393edc27739e4e3b3b157a

SHA1
5c37c271965fd43472c7c1fd48c3b490388923d8

SHA256
398b1fe38a434790f6d5e82d72bbaef3b3dfba13740bde388fb7749312c1b917

SHA512
032b02eea7fe8d0c2607f26d2ebab00d5a4fa075af34b7e7a145a815982fc6a457d84b5329033341b87f5b28fb95347ba2f22618fefc48331cc1f313c1dc4edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N52OF.tmp\line.bmp

Filesize
6KB

MD5
9dc5bf6e4b2cad053d12ad24260d9327

SHA1
84b7d911b8d8002ff95edb523d108038b6ea3bf0

SHA256
efb22f0b990c4ed4a8d36868c7d9d3793b61f0728343306caeae0ae5f0751447

SHA512
25c3b183d96ee5ef9f5fe35ce898e718baf894dcb0a82049dde59b0779a7ede88907f1d1f44ff155cb1ea178c296aaf36975341679f7289920e615d4c01844f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N52OF.tmp\support.bmp

Filesize
822B

MD5
12ca16a9c8707b7f0a257e6cabbbea3a

SHA1
a0b81eb518de7eb4ee4f3ded01fdf781151ff874

SHA256
624677996b347cd36593d4a1107b265c903268086f2f548b50c0f329fd649a33

SHA512
70c595f65be3bd9d9d2f44b5240b3bf8f9e7b923c59fdf8f07dd3f89bd8731a9cb9abab2fe899b5aac1e402ec33c782974c9554584c088de9e051f99b21c9c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N52OF.tmp\unsupport.bmp

Filesize
822B

MD5
4ac29de505cfb25bbb88d190ad379d82

SHA1
582b2a54ce52a950614ee7dc444e5d1b4c532e54

SHA256
93a93ec1f9af7118b2fb05a1abc420781130e5663b92536a23ec6a4b172a0843

SHA512
fbfd193b678c5c2fc8a1a1d17dddf832d6aee35ab3f01ddb9f44eb48ce8125cd4efde9f7816161133ec13d477a3aaae842d8ea8ffbd97653eb5bfc96fbe204b6

Download Submit
\Users\Admin\AppData\Local\Temp\is-0KH0G.tmp\pw-free-online.tmp

Filesize
3.3MB

MD5
38088568f4393edc27739e4e3b3b157a

SHA1
5c37c271965fd43472c7c1fd48c3b490388923d8

SHA256
398b1fe38a434790f6d5e82d72bbaef3b3dfba13740bde388fb7749312c1b917

SHA512
032b02eea7fe8d0c2607f26d2ebab00d5a4fa075af34b7e7a145a815982fc6a457d84b5329033341b87f5b28fb95347ba2f22618fefc48331cc1f313c1dc4edb

Download Submit
memory/2612-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2612-42-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2720-7-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2720-44-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2720-45-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2720-53-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2720-55-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download