cf2a6a1281998dee1fb893e716d8254a2cbe3c563373cac2092d510203389eac

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 11:07

Target

199559831e72e73dcda2dc5f938d7595.exe
Size

743KB
MD5

199559831e72e73dcda2dc5f938d7595
SHA1

b4d36c6719c8baf43ce13bd2a7ce9eb56537a8b0
SHA256

cf2a6a1281998dee1fb893e716d8254a2cbe3c563373cac2092d510203389eac
SHA512

10ae0634f567be1ce7b74a6446f44b583eb539b2c76e4128eaa6eb884b805c6c2aef1a46425493752dc929155c470d207a5086108cd981087159ac99319a9df2
SSDEEP

12288:dRn8S++U4u/n/80dW5A0zyo6JwQ5oAlK+GPHvZkIkn+QQ52LYRgc8yPwDRNdE:n8MU4ufxdW5A2mJr/kNHvSIknU3Y

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
796	dsadqfq.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\dsadqfq.cn.exe	199559831e72e73dcda2dc5f938d7595.exe
File opened for modification	C:\Windows\dsadqfq.cn.exe	199559831e72e73dcda2dc5f938d7595.exe
File created	C:\Windows\61642520.BAT	199559831e72e73dcda2dc5f938d7595.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	199559831e72e73dcda2dc5f938d7595.exe
Token: SeDebugPrivilege	796	dsadqfq.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
796	dsadqfq.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 1728	796	dsadqfq.cn.exe	28
PID 796 wrote to memory of 1728	796	dsadqfq.cn.exe	28
PID 796 wrote to memory of 1728	796	dsadqfq.cn.exe	28
PID 796 wrote to memory of 1728	796	dsadqfq.cn.exe	28
PID 1724 wrote to memory of 2972	1724	199559831e72e73dcda2dc5f938d7595.exe	30
PID 1724 wrote to memory of 2972	1724	199559831e72e73dcda2dc5f938d7595.exe	30
PID 1724 wrote to memory of 2972	1724	199559831e72e73dcda2dc5f938d7595.exe	30
PID 1724 wrote to memory of 2972	1724	199559831e72e73dcda2dc5f938d7595.exe	30

C:\Users\Admin\AppData\Local\Temp\199559831e72e73dcda2dc5f938d7595.exe
"C:\Users\Admin\AppData\Local\Temp\199559831e72e73dcda2dc5f938d7595.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\61642520.BAT
  2⤵
  - Deletes itself
  PID:2972

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:1728

C:\Windows\61642520.BAT

Filesize
190B

MD5
0bc4eef91896cbbed83711422c06431b

SHA1
2e4114b8c04d36684eb811bdff6889e349c044e8

SHA256
9ff29148e7fd054c7dab2ec881088e8f4b3a231411344fb0ebed6ee000ea849e

SHA512
3f7367c3a80492f189ef8fb16b09e8ae063a95a69ad264706770099bc90e93f316ff5bdab76ed9b5788573bbc58db9460cc79e48526d36bbc5abad499c1ebc94

Download Submit
C:\Windows\dsadqfq.cn.exe

Filesize
743KB

MD5
199559831e72e73dcda2dc5f938d7595

SHA1
b4d36c6719c8baf43ce13bd2a7ce9eb56537a8b0

SHA256
cf2a6a1281998dee1fb893e716d8254a2cbe3c563373cac2092d510203389eac

SHA512
10ae0634f567be1ce7b74a6446f44b583eb539b2c76e4128eaa6eb884b805c6c2aef1a46425493752dc929155c470d207a5086108cd981087159ac99319a9df2

Download Submit
memory/796-12-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/796-15-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/796-16-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/796-17-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/796-21-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1724-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1724-13-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download