33e1b2d24ab0db22c51686a46a408429a0e600dfc20b622f4c652d128ecb9671

Analysis

max time kernel
125s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a453a20a79dea07fe4527e5ba9bacdf.exe
Size

319KB
MD5

2a453a20a79dea07fe4527e5ba9bacdf
SHA1

9998cffad666c5ef003e1362843f914730866bbe
SHA256

33e1b2d24ab0db22c51686a46a408429a0e600dfc20b622f4c652d128ecb9671
SHA512

5ca0c5886924c580d1ef516a2be3dc22663c5c8b0855cde2ede398f7f51fc4c09b54e48380078f77aa15b37141dc7d5d5840b8a83d50aa3fb33a8c9cc8b20c43
SSDEEP

6144:hITNvnVN1Q1ttJXDlPwJ/TItbsdVeQBWLyai/Cx:qnVs7tJTlI9cxsdEIWuJ/Cx

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\_bmp23_.bm_	2a453a20a79dea07fe4527e5ba9bacdf.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe
1944	2a453a20a79dea07fe4527e5ba9bacdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 372	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	24
PID 1944 wrote to memory of 372	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	24
PID 1944 wrote to memory of 372	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	24
PID 1944 wrote to memory of 372	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	24
PID 1944 wrote to memory of 372	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	24
PID 1944 wrote to memory of 372	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	24
PID 1944 wrote to memory of 372	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	24
PID 1944 wrote to memory of 388	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 1944 wrote to memory of 388	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 1944 wrote to memory of 388	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 1944 wrote to memory of 388	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 1944 wrote to memory of 388	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 1944 wrote to memory of 388	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 1944 wrote to memory of 388	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 1944 wrote to memory of 424	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 1944 wrote to memory of 424	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 1944 wrote to memory of 424	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 1944 wrote to memory of 424	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 1944 wrote to memory of 424	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 1944 wrote to memory of 424	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 1944 wrote to memory of 424	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 1944 wrote to memory of 468	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	2
PID 1944 wrote to memory of 468	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	2
PID 1944 wrote to memory of 468	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	2
PID 1944 wrote to memory of 468	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	2
PID 1944 wrote to memory of 468	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	2
PID 1944 wrote to memory of 468	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	2
PID 1944 wrote to memory of 468	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	2
PID 1944 wrote to memory of 484	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	1
PID 1944 wrote to memory of 484	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	1
PID 1944 wrote to memory of 484	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	1
PID 1944 wrote to memory of 484	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	1
PID 1944 wrote to memory of 484	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	1
PID 1944 wrote to memory of 484	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	1
PID 1944 wrote to memory of 484	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	1
PID 1944 wrote to memory of 492	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	23
PID 1944 wrote to memory of 492	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	23
PID 1944 wrote to memory of 492	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	23
PID 1944 wrote to memory of 492	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	23
PID 1944 wrote to memory of 492	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	23
PID 1944 wrote to memory of 492	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	23
PID 1944 wrote to memory of 492	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	23
PID 1944 wrote to memory of 588	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	22
PID 1944 wrote to memory of 588	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	22
PID 1944 wrote to memory of 588	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	22
PID 1944 wrote to memory of 588	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	22
PID 1944 wrote to memory of 588	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	22
PID 1944 wrote to memory of 588	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	22
PID 1944 wrote to memory of 588	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	22
PID 1944 wrote to memory of 664	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	21
PID 1944 wrote to memory of 664	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	21
PID 1944 wrote to memory of 664	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	21
PID 1944 wrote to memory of 664	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	21
PID 1944 wrote to memory of 664	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	21
PID 1944 wrote to memory of 664	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	21
PID 1944 wrote to memory of 664	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	21
PID 1944 wrote to memory of 748	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	20
PID 1944 wrote to memory of 748	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	20
PID 1944 wrote to memory of 748	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	20
PID 1944 wrote to memory of 748	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	20
PID 1944 wrote to memory of 748	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	20
PID 1944 wrote to memory of 748	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	20
PID 1944 wrote to memory of 748	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	20
PID 1944 wrote to memory of 796	1944	2a453a20a79dea07fe4527e5ba9bacdf.exe	19

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:484

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1032
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1400
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2384
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:304
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:112
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:952
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:836
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:796
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:2772

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\2a453a20a79dea07fe4527e5ba9bacdf.exe
  "C:\Users\Admin\AppData\Local\Temp\2a453a20a79dea07fe4527e5ba9bacdf.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1944

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:492

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1944-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1944-1-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1944-2-0x0000000000230000-0x0000000000286000-memory.dmp

Filesize
344KB

Download
memory/1944-7-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/1944-6-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download