23faf7e974723811a912cc9a4e1268518ec97616a2b30712d04a47c5e6a866eb

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 09:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

63993ea94de3ce89027c438b773d897e.exe
Size

59KB
MD5

63993ea94de3ce89027c438b773d897e
SHA1

445b2dd598635dc9695c993348b33cd877be3991
SHA256

23faf7e974723811a912cc9a4e1268518ec97616a2b30712d04a47c5e6a866eb
SHA512

4460ae7808bfab57c2c7352f7649210d4107ecd1a6b5d3bc8e468b283c56666b20b7ce065695c328718a89fc0a2eaea222f215d0e1d1f7cdf50dc1d1fc5066f1
SSDEEP

1536:iRcbnPPGm7cP6XMvPwvIHXNsoUUlcVbV3feMZ+xaD3Vy7brNxx:iayOMvPwvIHXaoN6VbV3P/M7XNxx

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1652	63993ea94de3ce89027c438b773d897e.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe
1652	63993ea94de3ce89027c438b773d897e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	63993ea94de3ce89027c438b773d897e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 376	1652	63993ea94de3ce89027c438b773d897e.exe	4
PID 1652 wrote to memory of 376	1652	63993ea94de3ce89027c438b773d897e.exe	4
PID 1652 wrote to memory of 376	1652	63993ea94de3ce89027c438b773d897e.exe	4
PID 1652 wrote to memory of 376	1652	63993ea94de3ce89027c438b773d897e.exe	4
PID 1652 wrote to memory of 376	1652	63993ea94de3ce89027c438b773d897e.exe	4
PID 1652 wrote to memory of 376	1652	63993ea94de3ce89027c438b773d897e.exe	4
PID 1652 wrote to memory of 376	1652	63993ea94de3ce89027c438b773d897e.exe	4
PID 1652 wrote to memory of 388	1652	63993ea94de3ce89027c438b773d897e.exe	3
PID 1652 wrote to memory of 388	1652	63993ea94de3ce89027c438b773d897e.exe	3
PID 1652 wrote to memory of 388	1652	63993ea94de3ce89027c438b773d897e.exe	3
PID 1652 wrote to memory of 388	1652	63993ea94de3ce89027c438b773d897e.exe	3
PID 1652 wrote to memory of 388	1652	63993ea94de3ce89027c438b773d897e.exe	3
PID 1652 wrote to memory of 388	1652	63993ea94de3ce89027c438b773d897e.exe	3
PID 1652 wrote to memory of 388	1652	63993ea94de3ce89027c438b773d897e.exe	3
PID 1652 wrote to memory of 424	1652	63993ea94de3ce89027c438b773d897e.exe	2
PID 1652 wrote to memory of 424	1652	63993ea94de3ce89027c438b773d897e.exe	2
PID 1652 wrote to memory of 424	1652	63993ea94de3ce89027c438b773d897e.exe	2
PID 1652 wrote to memory of 424	1652	63993ea94de3ce89027c438b773d897e.exe	2
PID 1652 wrote to memory of 424	1652	63993ea94de3ce89027c438b773d897e.exe	2
PID 1652 wrote to memory of 424	1652	63993ea94de3ce89027c438b773d897e.exe	2
PID 1652 wrote to memory of 424	1652	63993ea94de3ce89027c438b773d897e.exe	2
PID 1652 wrote to memory of 472	1652	63993ea94de3ce89027c438b773d897e.exe	1
PID 1652 wrote to memory of 472	1652	63993ea94de3ce89027c438b773d897e.exe	1
PID 1652 wrote to memory of 472	1652	63993ea94de3ce89027c438b773d897e.exe	1
PID 1652 wrote to memory of 472	1652	63993ea94de3ce89027c438b773d897e.exe	1
PID 1652 wrote to memory of 472	1652	63993ea94de3ce89027c438b773d897e.exe	1
PID 1652 wrote to memory of 472	1652	63993ea94de3ce89027c438b773d897e.exe	1
PID 1652 wrote to memory of 472	1652	63993ea94de3ce89027c438b773d897e.exe	1
PID 1652 wrote to memory of 480	1652	63993ea94de3ce89027c438b773d897e.exe	7
PID 1652 wrote to memory of 480	1652	63993ea94de3ce89027c438b773d897e.exe	7
PID 1652 wrote to memory of 480	1652	63993ea94de3ce89027c438b773d897e.exe	7
PID 1652 wrote to memory of 480	1652	63993ea94de3ce89027c438b773d897e.exe	7
PID 1652 wrote to memory of 480	1652	63993ea94de3ce89027c438b773d897e.exe	7
PID 1652 wrote to memory of 480	1652	63993ea94de3ce89027c438b773d897e.exe	7
PID 1652 wrote to memory of 480	1652	63993ea94de3ce89027c438b773d897e.exe	7
PID 1652 wrote to memory of 488	1652	63993ea94de3ce89027c438b773d897e.exe	8
PID 1652 wrote to memory of 488	1652	63993ea94de3ce89027c438b773d897e.exe	8
PID 1652 wrote to memory of 488	1652	63993ea94de3ce89027c438b773d897e.exe	8
PID 1652 wrote to memory of 488	1652	63993ea94de3ce89027c438b773d897e.exe	8
PID 1652 wrote to memory of 488	1652	63993ea94de3ce89027c438b773d897e.exe	8
PID 1652 wrote to memory of 488	1652	63993ea94de3ce89027c438b773d897e.exe	8
PID 1652 wrote to memory of 488	1652	63993ea94de3ce89027c438b773d897e.exe	8
PID 1652 wrote to memory of 600	1652	63993ea94de3ce89027c438b773d897e.exe	28
PID 1652 wrote to memory of 600	1652	63993ea94de3ce89027c438b773d897e.exe	28
PID 1652 wrote to memory of 600	1652	63993ea94de3ce89027c438b773d897e.exe	28
PID 1652 wrote to memory of 600	1652	63993ea94de3ce89027c438b773d897e.exe	28
PID 1652 wrote to memory of 600	1652	63993ea94de3ce89027c438b773d897e.exe	28
PID 1652 wrote to memory of 600	1652	63993ea94de3ce89027c438b773d897e.exe	28
PID 1652 wrote to memory of 600	1652	63993ea94de3ce89027c438b773d897e.exe	28
PID 1652 wrote to memory of 680	1652	63993ea94de3ce89027c438b773d897e.exe	27
PID 1652 wrote to memory of 680	1652	63993ea94de3ce89027c438b773d897e.exe	27
PID 1652 wrote to memory of 680	1652	63993ea94de3ce89027c438b773d897e.exe	27
PID 1652 wrote to memory of 680	1652	63993ea94de3ce89027c438b773d897e.exe	27
PID 1652 wrote to memory of 680	1652	63993ea94de3ce89027c438b773d897e.exe	27
PID 1652 wrote to memory of 680	1652	63993ea94de3ce89027c438b773d897e.exe	27
PID 1652 wrote to memory of 680	1652	63993ea94de3ce89027c438b773d897e.exe	27
PID 1652 wrote to memory of 768	1652	63993ea94de3ce89027c438b773d897e.exe	9
PID 1652 wrote to memory of 768	1652	63993ea94de3ce89027c438b773d897e.exe	9
PID 1652 wrote to memory of 768	1652	63993ea94de3ce89027c438b773d897e.exe	9
PID 1652 wrote to memory of 768	1652	63993ea94de3ce89027c438b773d897e.exe	9
PID 1652 wrote to memory of 768	1652	63993ea94de3ce89027c438b773d897e.exe	9
PID 1652 wrote to memory of 768	1652	63993ea94de3ce89027c438b773d897e.exe	9
PID 1652 wrote to memory of 768	1652	63993ea94de3ce89027c438b773d897e.exe	9
PID 1652 wrote to memory of 812	1652	63993ea94de3ce89027c438b773d897e.exe	26

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:472
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:768
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:848
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:288
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:332
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:3008
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1996
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1080
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:972
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "53275259657578286-745610113304237587206978523327748816-2098825281-831185871"
  2⤵
  PID:2936

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:376
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:480
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Users\Admin\AppData\Local\Temp\63993ea94de3ce89027c438b773d897e.exe
"C:\Users\Admin\AppData\Local\Temp\63993ea94de3ce89027c438b773d897e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1940

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-0-0x0000000001000000-0x0000000001012000-memory.dmp

Filesize
72KB

Download
memory/1652-3-0x0000000001000000-0x0000000001012000-memory.dmp

Filesize
72KB

Download
memory/1652-2-0x0000000076F20000-0x0000000076F21000-memory.dmp

Filesize
4KB

Download
memory/1652-1-0x0000000076F1F000-0x0000000076F20000-memory.dmp

Filesize
4KB

Download