56ccf53bf87ec9a37cbb021a20d539e5068d7777d59672147c71bd292c25b1c8

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16b162731967b3cf7d1656f69c59fc26.exe
Size

277KB
MD5

16b162731967b3cf7d1656f69c59fc26
SHA1

dc51477508701b49ec116fa42dcc59f23789c573
SHA256

56ccf53bf87ec9a37cbb021a20d539e5068d7777d59672147c71bd292c25b1c8
SHA512

a5ef99c562a7a3d855a977a0edd592eac9c5826d236164d53c0b7891f970a56ee11a12397d29995d67d5258dd1e868d1f2be50da3ab183fb6ee292c6c463b85c
SSDEEP

6144:qBGieZs2356GuKrJJtMIzPwP54DzXDCCRKyUTa:5i6s2klKW4PImzXDNRPya

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2332	r468CDF.exe

Loads dropped DLL 1 IoCs

pid	Process
2376	16b162731967b3cf7d1656f69c59fc26.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Debug\GKMSWY3\GKMSWY3002.IMD	16b162731967b3cf7d1656f69c59fc26.exe
File created	C:\Windows\SysWOW64\Debug\GKMSWY3\GKMSWY3003.IMD	16b162731967b3cf7d1656f69c59fc26.exe
File created	C:\Windows\SysWOW64\qsliaoyezjcsrrs1.dll	16b162731967b3cf7d1656f69c59fc26.exe
File created	C:\Windows\SysWOW64\1.3GKMSWY	16b162731967b3cf7d1656f69c59fc26.exe
File created	C:\Windows\SysWOW64\2.3GKMSWY	16b162731967b3cf7d1656f69c59fc26.exe
File created	C:\Windows\SysWOW64\Debug\GKMSWY3\GKMSWY3000.IMD	16b162731967b3cf7d1656f69c59fc26.exe
File created	C:\Windows\SysWOW64\Debug\GKMSWY3\GKMSWY3001.IMD	16b162731967b3cf7d1656f69c59fc26.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system\4468ACD\r468CDF.exe	16b162731967b3cf7d1656f69c59fc26.exe
File opened for modification	C:\Windows\system\4468ACD\r468CDF.exe	16b162731967b3cf7d1656f69c59fc26.exe
File created	C:\Windows\2.ini	16b162731967b3cf7d1656f69c59fc26.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2376	16b162731967b3cf7d1656f69c59fc26.exe
2376	16b162731967b3cf7d1656f69c59fc26.exe
2376	16b162731967b3cf7d1656f69c59fc26.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	16b162731967b3cf7d1656f69c59fc26.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2332	2376	16b162731967b3cf7d1656f69c59fc26.exe	28
PID 2376 wrote to memory of 2332	2376	16b162731967b3cf7d1656f69c59fc26.exe	28
PID 2376 wrote to memory of 2332	2376	16b162731967b3cf7d1656f69c59fc26.exe	28
PID 2376 wrote to memory of 2332	2376	16b162731967b3cf7d1656f69c59fc26.exe	28

C:\Users\Admin\AppData\Local\Temp\16b162731967b3cf7d1656f69c59fc26.exe
"C:\Users\Admin\AppData\Local\Temp\16b162731967b3cf7d1656f69c59fc26.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system\4468ACD\r468CDF.exe
  C:\Windows\system\4468ACD\r468CDF.exe -close
  2⤵
  - Executes dropped EXE
  PID:2332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1.3GKMSWY

Filesize
26B

MD5
4207274343ad5f087db018ab301ece2f

SHA1
e38b117bb7a5a6bb0b5c27b88aef11e4683bf500

SHA256
1cae7db97caf51809bf52bbae1ff401742b8cf48691f54b564597debd0aa7ffe

SHA512
52ba005ec74db55bfb114cd6dae90f99c4e502d1fb9ce2ba0a7485a56e843ae6ad3bab1ee77a25cd205a6885252a1840f73e0793bc64295de4715896489b69ed

Download Submit
C:\Windows\SysWOW64\2.3GKMSWY

Filesize
18B

MD5
19537878b06696f1615901cd8f7d4fe6

SHA1
169ba2c48935b7644e1d1212d94403cd8cd1b905

SHA256
d2fd6273b3764b7a120bc7cf4a4bbfd32cbc57ca78fcec8fadfe15ccb389acf5

SHA512
c09b58c65fa9cdeb79f815287c4f8e7a0681ff9eb0da45ad4f6c18fac9f5226dc08e9f14e356a1d412da24b8accd502ba632bda5ded54153d1729d4beea50153

Download Submit
C:\Windows\SysWOW64\qsliaoyezjcsrrs1.dll

Filesize
18B

MD5
53702e9bc87901322cbb9fe0644dfcbb

SHA1
13f6c604fd149499393ae6a3a487b58b3c0aaef5

SHA256
bf95cf2ed310a9f912694ade78993fde0bb6aa7949e402c7b8b8962e2857b2b1

SHA512
5faed6a7c1019067f160bac946bb5f3b396204d4888747de4c4ff98c4f22493b33774d98e2a294f811c0511ec915dd127eabd7790d4f2f68d83806874e7c0142

Download Submit
C:\Windows\system\4468ACD\r468CDF.exe

Filesize
277KB

MD5
ce593d5229844989a60024fc83ffa2d4

SHA1
36eb4db83230c7f567e142cbbca1b9724d13fc7b

SHA256
53bc82d065f15adc7979420af2e1d202350387172bbd42f230aa436e0ab565a4

SHA512
4b3bfe6edc041eb30da3c247fd18e9600ce3262f6ea8f7375573f34f726f407e576ac5f77d87e197106675d93e3bc2b7c3192ef900b371ef405b65a862caa7c7

Download Submit
memory/2332-23-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2376-22-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download