d472bc867cd0846005f4dc68cbe3921b957aad2000764c678321d1e84b524f3d

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 20:54

Target

3c651386956e34027006e4831545a07b.exe
Size

27KB
MD5

3c651386956e34027006e4831545a07b
SHA1

ecda9179883e743fe56020702299d36a16770adf
SHA256

d472bc867cd0846005f4dc68cbe3921b957aad2000764c678321d1e84b524f3d
SHA512

0fb5dfaf6460470ea4e3507ad5cbe0cc061d416414afa4f1b603b9aa0e09ba3033602bd561c1eec2092b7fdb00f27086aa6eed56dcc8c25c6a01f8c78461b3ce
SSDEEP

384:ggUINUWXeGMrb3qeBNv6P2A5FG6CSvE+G8m6L8K9v1SlhXrFBq:llNUPrb3q616lzGNwEumw82qw

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2164	fing.exe

Loads dropped DLL 2 IoCs

pid	Process
1896	3c651386956e34027006e4831545a07b.exe
1896	3c651386956e34027006e4831545a07b.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fing.exe	3c651386956e34027006e4831545a07b.exe
File opened for modification	C:\Windows\SysWOW64\fing.exe	3c651386956e34027006e4831545a07b.exe
File created	C:\Windows\SysWOW64\fing.exe	fing.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1896	3c651386956e34027006e4831545a07b.exe
2164	fing.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1896	3c651386956e34027006e4831545a07b.exe
Token: SeIncBasePriorityPrivilege	2164	fing.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2164	1896	3c651386956e34027006e4831545a07b.exe	28
PID 1896 wrote to memory of 2164	1896	3c651386956e34027006e4831545a07b.exe	28
PID 1896 wrote to memory of 2164	1896	3c651386956e34027006e4831545a07b.exe	28
PID 1896 wrote to memory of 2164	1896	3c651386956e34027006e4831545a07b.exe	28
PID 1896 wrote to memory of 2780	1896	3c651386956e34027006e4831545a07b.exe	29
PID 1896 wrote to memory of 2780	1896	3c651386956e34027006e4831545a07b.exe	29
PID 1896 wrote to memory of 2780	1896	3c651386956e34027006e4831545a07b.exe	29
PID 1896 wrote to memory of 2780	1896	3c651386956e34027006e4831545a07b.exe	29
PID 2164 wrote to memory of 2136	2164	fing.exe	30
PID 2164 wrote to memory of 2136	2164	fing.exe	30
PID 2164 wrote to memory of 2136	2164	fing.exe	30
PID 2164 wrote to memory of 2136	2164	fing.exe	30

C:\Users\Admin\AppData\Local\Temp\3c651386956e34027006e4831545a07b.exe
"C:\Users\Admin\AppData\Local\Temp\3c651386956e34027006e4831545a07b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\fing.exe
  "C:\Windows\system32\fing.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\fing.exe > nul
    3⤵
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\3C6513~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2780

\Windows\SysWOW64\fing.exe

Filesize
27KB

MD5
3c651386956e34027006e4831545a07b

SHA1
ecda9179883e743fe56020702299d36a16770adf

SHA256
d472bc867cd0846005f4dc68cbe3921b957aad2000764c678321d1e84b524f3d

SHA512
0fb5dfaf6460470ea4e3507ad5cbe0cc061d416414afa4f1b603b9aa0e09ba3033602bd561c1eec2092b7fdb00f27086aa6eed56dcc8c25c6a01f8c78461b3ce

Download Submit