245c6a4457f5ef8edb6c90c79881c9bef8eb8877999da32fa85e08a3b73807a4

Analysis

max time kernel
120s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 05:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

094484d195cf080f7a48cb1628a8b83f.exe
Size

175KB
MD5

094484d195cf080f7a48cb1628a8b83f
SHA1

113edfaeba0429577f4c06e1e5a46c21371ca394
SHA256

245c6a4457f5ef8edb6c90c79881c9bef8eb8877999da32fa85e08a3b73807a4
SHA512

9551bb96bdd39af3f2dd372be6c777c181485fba94718f52cd6f931ff914227f9080878e97bfaccec28a9d2dfd3bc8426d08aa95c5529ad3aa9b540f56ed4a63
SSDEEP

3072:wYaQjKnr+mWBmfIOrDcJaJFbT/hZeOOdUJqANgesO0bq:wYaQ8rpWB+IOrxFbNZeOOduNdsO3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2244	update32.exe

Loads dropped DLL 1 IoCs

pid	Process
2540	094484d195cf080f7a48cb1628a8b83f.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\insvc32.exe	094484d195cf080f7a48cb1628a8b83f.exe
File created	C:\Windows\SysWOW64\soaction32.dll	094484d195cf080f7a48cb1628a8b83f.exe
File opened for modification	C:\Windows\SysWOW64\soaction32.dll	094484d195cf080f7a48cb1628a8b83f.exe
File created	C:\Windows\SysWOW64\maxsvc32.dll	094484d195cf080f7a48cb1628a8b83f.exe
File opened for modification	C:\Windows\SysWOW64\maxsvc32.dll	094484d195cf080f7a48cb1628a8b83f.exe
File created	C:\Windows\SysWOW64\insvc32.exe	094484d195cf080f7a48cb1628a8b83f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2540	094484d195cf080f7a48cb1628a8b83f.exe
2540	094484d195cf080f7a48cb1628a8b83f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	094484d195cf080f7a48cb1628a8b83f.exe
Token: SeDebugPrivilege	2244	update32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 420	2540	094484d195cf080f7a48cb1628a8b83f.exe	3
PID 2540 wrote to memory of 2244	2540	094484d195cf080f7a48cb1628a8b83f.exe	32
PID 2540 wrote to memory of 2244	2540	094484d195cf080f7a48cb1628a8b83f.exe	32
PID 2540 wrote to memory of 2244	2540	094484d195cf080f7a48cb1628a8b83f.exe	32
PID 2540 wrote to memory of 2244	2540	094484d195cf080f7a48cb1628a8b83f.exe	32
PID 2540 wrote to memory of 2244	2540	094484d195cf080f7a48cb1628a8b83f.exe	32
PID 2540 wrote to memory of 2244	2540	094484d195cf080f7a48cb1628a8b83f.exe	32
PID 2540 wrote to memory of 2244	2540	094484d195cf080f7a48cb1628a8b83f.exe	32
PID 2540 wrote to memory of 2792	2540	094484d195cf080f7a48cb1628a8b83f.exe	31
PID 2540 wrote to memory of 2792	2540	094484d195cf080f7a48cb1628a8b83f.exe	31
PID 2540 wrote to memory of 2792	2540	094484d195cf080f7a48cb1628a8b83f.exe	31
PID 2540 wrote to memory of 2792	2540	094484d195cf080f7a48cb1628a8b83f.exe	31
PID 2244 wrote to memory of 2720	2244	update32.exe	30
PID 2244 wrote to memory of 2720	2244	update32.exe	30
PID 2244 wrote to memory of 2720	2244	update32.exe	30
PID 2244 wrote to memory of 2720	2244	update32.exe	30

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Users\Admin\AppData\Local\Temp\094484d195cf080f7a48cb1628a8b83f.exe
"C:\Users\Admin\AppData\Local\Temp\094484d195cf080f7a48cb1628a8b83f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_unins_mxz.bat" "
  2⤵
  - Deletes itself
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\update32.exe
  "C:\Users\Admin\AppData\Local\Temp\update32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_unins_u32.bat" "
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\update32.exe

Filesize
40KB

MD5
261c97e888a34ed09c2b36680a93b21f

SHA1
a76741edd8a83f8a9256423e1b04998d3b4693a6

SHA256
194a4ab3acc79736ec61ba1e6f28b3b453e8bfdf0a90afa8faaf5664c321e3fa

SHA512
c633e26fee64f5b3b2e2b6dd2680e5006ef551b1f3ead89e8f3e597aa74ea2e4f4f4fd4d950a1a1de8ecdb9ca8475c30cc037a8d8bef4c1d09fb851e083762ba

Download Submit
memory/420-9-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download