56d2191920a37c2184df1c1ad5a9621afe4752647eb20c7981877c10d9754d8c

Analysis

max time kernel
1s
max time network
3s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 16:28

Target

2d20bd0ae3c0cc7a3e47585e83237ae6.exe
Size

193KB
MD5

2d20bd0ae3c0cc7a3e47585e83237ae6
SHA1

eaec7a3649b45318fa65497a79e13ed096704cbc
SHA256

56d2191920a37c2184df1c1ad5a9621afe4752647eb20c7981877c10d9754d8c
SHA512

c0ebc8df4f8e759d27dab8710c62bc02d461ab793ecb8f5f32bea926055909410a31b5e4dfd190e463863ca8272278aa11cdd27cb4efaeed8d8f31412f37da7d
SSDEEP

6144:eK1k7d47hHAPNAlW7VvLKX/nnGlL40EaaX+yjIfW7:f1YJPNnYGlLIa0H7

Score

7^/10

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000012262-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2512	WinHfjt32.exe

Loads dropped DLL 4 IoCs

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHfjt32.exe	2d20bd0ae3c0cc7a3e47585e83237ae6.exe
File opened for modification	C:\Windows\SysWOW64\WinHfjt32.exe	2d20bd0ae3c0cc7a3e47585e83237ae6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1016	2d20bd0ae3c0cc7a3e47585e83237ae6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1016	2d20bd0ae3c0cc7a3e47585e83237ae6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2512	1016	2d20bd0ae3c0cc7a3e47585e83237ae6.exe	29
PID 1016 wrote to memory of 2512	1016	2d20bd0ae3c0cc7a3e47585e83237ae6.exe	29
PID 1016 wrote to memory of 2512	1016	2d20bd0ae3c0cc7a3e47585e83237ae6.exe	29
PID 1016 wrote to memory of 2512	1016	2d20bd0ae3c0cc7a3e47585e83237ae6.exe	29
PID 1016 wrote to memory of 2224	1016	2d20bd0ae3c0cc7a3e47585e83237ae6.exe	28
PID 1016 wrote to memory of 2224	1016	2d20bd0ae3c0cc7a3e47585e83237ae6.exe	28
PID 1016 wrote to memory of 2224	1016	2d20bd0ae3c0cc7a3e47585e83237ae6.exe	28
PID 1016 wrote to memory of 2224	1016	2d20bd0ae3c0cc7a3e47585e83237ae6.exe	28

C:\Users\Admin\AppData\Local\Temp\2d20bd0ae3c0cc7a3e47585e83237ae6.exe
"C:\Users\Admin\AppData\Local\Temp\2d20bd0ae3c0cc7a3e47585e83237ae6.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2D20BD~1.EXE > nul
  2⤵
  PID:2224
- C:\Windows\SysWOW64\WinHfjt32.exe
  "C:\Windows\system32\WinHfjt32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\WINHFJ~1.EXE > nul
    3⤵
    PID:2912

C:\Windows\SysWOW64\WinHfjt32.exe

Filesize
193KB

MD5
2d20bd0ae3c0cc7a3e47585e83237ae6

SHA1
eaec7a3649b45318fa65497a79e13ed096704cbc

SHA256
56d2191920a37c2184df1c1ad5a9621afe4752647eb20c7981877c10d9754d8c

SHA512
c0ebc8df4f8e759d27dab8710c62bc02d461ab793ecb8f5f32bea926055909410a31b5e4dfd190e463863ca8272278aa11cdd27cb4efaeed8d8f31412f37da7d

Download Submit
\Users\Admin\AppData\Local\Temp\dhl4E20.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/1016-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1016-4-0x0000000000220000-0x0000000000293000-memory.dmp

Filesize
460KB

Download
memory/1016-13-0x0000000000330000-0x0000000000339000-memory.dmp

Filesize
36KB

Download