b216fb62d0b16de6b5c144bd6ea0882f3efd42e413ad10020cd6fca9f367c6ee

Analysis

max time kernel
50s
max time network
19s
platform
windows7_x64
resource
win7-20231023-es
resource tags

arch:x64arch:x86image:win7-20231023-eslocale:es-esos:windows7-x64systemwindows
submitted
21/11/2023, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xf-adsk2013_x64.exe
Size

323KB
MD5

4459d055507edf234144afb8d8cbb037
SHA1

9641d9750ba496da27bddea16106f64915d0686b
SHA256

b216fb62d0b16de6b5c144bd6ea0882f3efd42e413ad10020cd6fca9f367c6ee
SHA512

2a5e7883d18e4226b5229823698d1ccab8322e5223d1d75e361c9184f31a3fa5f89db2e976f864fdda478d3d5db4aa353a446f7287f57646db8d6ab21a16b2be
SSDEEP

6144:lneI2QVjHyt0qJk1Z147j6k14dsJKS5Py+nRF+w:leIBTyt0qA147j0+UmaAf+w

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2728	adesk_patcher64.exe
1280	Process not Found
2888	adesk_patcher64.exe

Loads dropped DLL 5 IoCs

pid	Process
1984	xf-adsk2013_x64.exe
1984	xf-adsk2013_x64.exe
1280	Process not Found
1984	xf-adsk2013_x64.exe
1984	xf-adsk2013_x64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	adesk_patcher64.exe
2888	adesk_patcher64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	adesk_patcher64.exe
Token: SeDebugPrivilege	2888	adesk_patcher64.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2728	1984	xf-adsk2013_x64.exe	28
PID 1984 wrote to memory of 2728	1984	xf-adsk2013_x64.exe	28
PID 1984 wrote to memory of 2728	1984	xf-adsk2013_x64.exe	28
PID 1984 wrote to memory of 2728	1984	xf-adsk2013_x64.exe	28
PID 1984 wrote to memory of 2888	1984	xf-adsk2013_x64.exe	29
PID 1984 wrote to memory of 2888	1984	xf-adsk2013_x64.exe	29
PID 1984 wrote to memory of 2888	1984	xf-adsk2013_x64.exe	29
PID 1984 wrote to memory of 2888	1984	xf-adsk2013_x64.exe	29

C:\Users\Admin\AppData\Local\Temp\xf-adsk2013_x64.exe
"C:\Users\Admin\AppData\Local\Temp\xf-adsk2013_x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\adesk_patcher64.exe
  "adesk_patcher64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\adesk_patcher64.exe
  "adesk_patcher64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adesk_patcher64.exe

Filesize
4KB

MD5
c73181d12d791e0d79cd3a65a98b0539

SHA1
09e1f2b080e8a1b56284c4b14c58cf1f574847ec

SHA256
4363b59f309319b8b0048b689cd2d16a474e0ef508af333ad8d3db69e6760aaa

SHA512
0935029aab4a46846d30937d01ca14fde2b25b9b733ba864dddb48a6317969ca3c6e9a38ca417d6a7e2d6f265f0b0ab9df6e1ced7d10997e23ab7a41a33409c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\adesk_patcher64.exe

Filesize
4KB

MD5
c73181d12d791e0d79cd3a65a98b0539

SHA1
09e1f2b080e8a1b56284c4b14c58cf1f574847ec

SHA256
4363b59f309319b8b0048b689cd2d16a474e0ef508af333ad8d3db69e6760aaa

SHA512
0935029aab4a46846d30937d01ca14fde2b25b9b733ba864dddb48a6317969ca3c6e9a38ca417d6a7e2d6f265f0b0ab9df6e1ced7d10997e23ab7a41a33409c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\adesk_patcher64.exe

Filesize
4KB

MD5
c73181d12d791e0d79cd3a65a98b0539

SHA1
09e1f2b080e8a1b56284c4b14c58cf1f574847ec

SHA256
4363b59f309319b8b0048b689cd2d16a474e0ef508af333ad8d3db69e6760aaa

SHA512
0935029aab4a46846d30937d01ca14fde2b25b9b733ba864dddb48a6317969ca3c6e9a38ca417d6a7e2d6f265f0b0ab9df6e1ced7d10997e23ab7a41a33409c6

Download Submit
\Users\Admin\AppData\Local\Temp\adesk_patcher64.exe

Filesize
4KB

MD5
c73181d12d791e0d79cd3a65a98b0539

SHA1
09e1f2b080e8a1b56284c4b14c58cf1f574847ec

SHA256
4363b59f309319b8b0048b689cd2d16a474e0ef508af333ad8d3db69e6760aaa

SHA512
0935029aab4a46846d30937d01ca14fde2b25b9b733ba864dddb48a6317969ca3c6e9a38ca417d6a7e2d6f265f0b0ab9df6e1ced7d10997e23ab7a41a33409c6

Download Submit
\Users\Admin\AppData\Local\Temp\adesk_patcher64.exe

Filesize
4KB

MD5
c73181d12d791e0d79cd3a65a98b0539

SHA1
09e1f2b080e8a1b56284c4b14c58cf1f574847ec

SHA256
4363b59f309319b8b0048b689cd2d16a474e0ef508af333ad8d3db69e6760aaa

SHA512
0935029aab4a46846d30937d01ca14fde2b25b9b733ba864dddb48a6317969ca3c6e9a38ca417d6a7e2d6f265f0b0ab9df6e1ced7d10997e23ab7a41a33409c6

Download Submit
\Users\Admin\AppData\Local\Temp\adesk_patcher64.exe

Filesize
4KB

MD5
c73181d12d791e0d79cd3a65a98b0539

SHA1
09e1f2b080e8a1b56284c4b14c58cf1f574847ec

SHA256
4363b59f309319b8b0048b689cd2d16a474e0ef508af333ad8d3db69e6760aaa

SHA512
0935029aab4a46846d30937d01ca14fde2b25b9b733ba864dddb48a6317969ca3c6e9a38ca417d6a7e2d6f265f0b0ab9df6e1ced7d10997e23ab7a41a33409c6

Download Submit
\Users\Admin\AppData\Local\Temp\adesk_patcher64.exe

Filesize
4KB

MD5
c73181d12d791e0d79cd3a65a98b0539

SHA1
09e1f2b080e8a1b56284c4b14c58cf1f574847ec

SHA256
4363b59f309319b8b0048b689cd2d16a474e0ef508af333ad8d3db69e6760aaa

SHA512
0935029aab4a46846d30937d01ca14fde2b25b9b733ba864dddb48a6317969ca3c6e9a38ca417d6a7e2d6f265f0b0ab9df6e1ced7d10997e23ab7a41a33409c6

Download Submit
\Users\Admin\AppData\Local\Temp\adesk_patcher64.exe

Filesize
4KB

MD5
c73181d12d791e0d79cd3a65a98b0539

SHA1
09e1f2b080e8a1b56284c4b14c58cf1f574847ec

SHA256
4363b59f309319b8b0048b689cd2d16a474e0ef508af333ad8d3db69e6760aaa

SHA512
0935029aab4a46846d30937d01ca14fde2b25b9b733ba864dddb48a6317969ca3c6e9a38ca417d6a7e2d6f265f0b0ab9df6e1ced7d10997e23ab7a41a33409c6

Download Submit
\Users\Admin\AppData\Local\Temp\adesk_patcher64.exe

Filesize
4KB

MD5
c73181d12d791e0d79cd3a65a98b0539

SHA1
09e1f2b080e8a1b56284c4b14c58cf1f574847ec

SHA256
4363b59f309319b8b0048b689cd2d16a474e0ef508af333ad8d3db69e6760aaa

SHA512
0935029aab4a46846d30937d01ca14fde2b25b9b733ba864dddb48a6317969ca3c6e9a38ca417d6a7e2d6f265f0b0ab9df6e1ced7d10997e23ab7a41a33409c6

Download Submit
memory/1984-17-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1984-14-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1984-16-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1984-0-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1984-18-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1984-2-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1984-3-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1984-4-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1984-1-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1984-26-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download
memory/1984-27-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download