75e50fa061f72b2519055bc45ba3652b202bc9ece7664c58ca33d6b11c4c6104

Analysis

max time kernel
146s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 07:13

Target

5bd50c9220452e9e89f622738b0c91a7.exe
Size

20KB
MD5

5bd50c9220452e9e89f622738b0c91a7
SHA1

ff6dfe6b3c331a50d6585a586f8a7bfc170eac91
SHA256

75e50fa061f72b2519055bc45ba3652b202bc9ece7664c58ca33d6b11c4c6104
SHA512

b542a2330523604f13fc4c66e5a2c312d9c93f386ee43911bf7ca212b6687b39a49e7b8cb67379b01d4b6cd8751309e2e63618a4f9232aa517a3bd88d6a00c0b
SSDEEP

384:uWCaLWhL1cd5kdgmpk5O93g53eIDTID30kCdqdyUjBY:RoLmd5kd5OQ9QoOa30kCq3BY

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
1232	remote.exe
4260	remote.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\remote.exe	remote.exe
File created	C:\Windows\SysWOW64\remote.exe	remote.exe
File opened for modification	C:\Windows\SysWOW64\remote.exe	remote.exe
File created	C:\Windows\SysWOW64\remote.exe	remote.exe
File created	C:\Windows\SysWOW64\kernel32.ime	remote.exe
File opened for modification	C:\Windows\SysWOW64\remote.exe	5bd50c9220452e9e89f622738b0c91a7.exe
File created	C:\Windows\SysWOW64\remote.exe	5bd50c9220452e9e89f622738b0c91a7.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	remote.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 1232	3944	5bd50c9220452e9e89f622738b0c91a7.exe	91
PID 3944 wrote to memory of 1232	3944	5bd50c9220452e9e89f622738b0c91a7.exe	91
PID 3944 wrote to memory of 1232	3944	5bd50c9220452e9e89f622738b0c91a7.exe	91
PID 3944 wrote to memory of 5012	3944	5bd50c9220452e9e89f622738b0c91a7.exe	93
PID 3944 wrote to memory of 5012	3944	5bd50c9220452e9e89f622738b0c91a7.exe	93
PID 3944 wrote to memory of 5012	3944	5bd50c9220452e9e89f622738b0c91a7.exe	93
PID 4260 wrote to memory of 776	4260	remote.exe	6

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\5bd50c9220452e9e89f622738b0c91a7.exe
"C:\Users\Admin\AppData\Local\Temp\5bd50c9220452e9e89f622738b0c91a7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\SysWOW64\remote.exe
  C:\Windows\system32\remote.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\5bd50c9220452e9e89f622738b0c91a7.exe"
  2⤵
  PID:5012

C:\Windows\SysWOW64\remote.exe

Filesize
20KB

MD5
5bd50c9220452e9e89f622738b0c91a7

SHA1
ff6dfe6b3c331a50d6585a586f8a7bfc170eac91

SHA256
75e50fa061f72b2519055bc45ba3652b202bc9ece7664c58ca33d6b11c4c6104

SHA512
b542a2330523604f13fc4c66e5a2c312d9c93f386ee43911bf7ca212b6687b39a49e7b8cb67379b01d4b6cd8751309e2e63618a4f9232aa517a3bd88d6a00c0b

Download Submit