8ae7c872aecf5c721c0d82051fe82b4c94d47a9273fcecb8515c7dab9cad713a

Analysis

max time kernel
120s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 04:41

Target

05bb9d55050b464472e067d202b69030.exe
Size

16KB
MD5

05bb9d55050b464472e067d202b69030
SHA1

47ff4871e417ad0b45d0c56294d82d9493421226
SHA256

8ae7c872aecf5c721c0d82051fe82b4c94d47a9273fcecb8515c7dab9cad713a
SHA512

648944547812e2671ebdabbce9ae6fac78654a28220d3cad9e122a22f9f926f7ac4c9318c6dad3e06b0cacc874d9fd858345d09b85706300f811ee57ac115b17
SSDEEP

192:nqD0yXeZBmtFUk4tb87ZL6lsExDhm2YmtGWrN2ximgFpWWyJkzEnnwkgUw9elgt:u0yZtFUlt40vrfYmTaimgFNLzEnPrg

Score

8^/10

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\Encionc_ch.dat	05bb9d55050b464472e067d202b69030.exe

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wsconfig.db	05bb9d55050b464472e067d202b69030.exe
File created	C:\Windows\SysWOW64\imm32.dll.bak	05bb9d55050b464472e067d202b69030.exe
File created	C:\Windows\SysWOW64\imm32.dll	05bb9d55050b464472e067d202b69030.exe
File created	C:\Windows\SysWOW64\kb025143120.dll	05bb9d55050b464472e067d202b69030.exe
File opened for modification	C:\Windows\SysWOW64\kb025143120.dll	05bb9d55050b464472e067d202b69030.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2964	05bb9d55050b464472e067d202b69030.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	05bb9d55050b464472e067d202b69030.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2784	2964	05bb9d55050b464472e067d202b69030.exe	28
PID 2964 wrote to memory of 2784	2964	05bb9d55050b464472e067d202b69030.exe	28
PID 2964 wrote to memory of 2784	2964	05bb9d55050b464472e067d202b69030.exe	28
PID 2964 wrote to memory of 2784	2964	05bb9d55050b464472e067d202b69030.exe	28

C:\Users\Admin\AppData\Local\Temp\05bb9d55050b464472e067d202b69030.exe
"C:\Users\Admin\AppData\Local\Temp\05bb9d55050b464472e067d202b69030.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\delf76a573.bat
  2⤵
  - Deletes itself
  PID:2784

C:\Windows\SysWOW64\drivers\Encionc_ch.dat

Filesize
672B

MD5
6a5b136a0e946adc210efcd4d92a2560

SHA1
912fe03f74d746426b4476dfd0b57a9e70559420

SHA256
864db1f906c874eb2085ef358011c2421e615652322477835e264efc33f42caa

SHA512
80d452b3d810b2e9da9a64bd42d062e304bb3ede5c4a4b98e23325cb844b4d5aa1ae094f723840736463f9fe9d9f8b3b312f0b1f90eb53c3a2b6607dc04db6ca

Download Submit
\??\c:\delf76a573.bat

Filesize
207B

MD5
69077434aad6fb1ecedff19d6fcd327b

SHA1
33ad4ad50a17d5f69b76fb526d7507d230b965d1

SHA256
d879fbdaf66a170d5af78122d58abf69fcd2e632483e9959d2262292e9bef7c9

SHA512
6d994d8cdd3c5e656eed094cb2385f3ad5e3534b767f883d9551f79eda00034523142e684e11863f0f261755332381711b217d85b52f077062d71ae800e10c8b

Download Submit
memory/2964-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2964-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download