71a884fa969d8fc6dbfe2bd731f9feeb5cc56c93530fa9220c01c6994ff64f89

Analysis

max time kernel
143s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01b9de3f9284ee1a6919b3370756b270.exe
Size

282KB
MD5

01b9de3f9284ee1a6919b3370756b270
SHA1

0adacd42662dc355710d63b459dd2c8f1c675e71
SHA256

71a884fa969d8fc6dbfe2bd731f9feeb5cc56c93530fa9220c01c6994ff64f89
SHA512

e65f5229d248df6db20e44138f1e2937c4d46759e8c18001aafb3e0816f50e6e9035fcab3eb68feb852e89139e41a84ea0215102102c87ef6be0b9a9889116c7
SSDEEP

6144:4sIQ99HNvHrAzaZ7hNvR77HDN/BPyXO6qGNSadnFkJQiuWxjJXeye9F:UQ99HJAzaBx5/IXI2nFkg6JXmF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2620	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2320	www.darkst.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\DELME.BAT	01b9de3f9284ee1a6919b3370756b270.exe
File created	C:\Windows\www.darkst.com	01b9de3f9284ee1a6919b3370756b270.exe
File opened for modification	C:\Windows\www.darkst.com	01b9de3f9284ee1a6919b3370756b270.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	01b9de3f9284ee1a6919b3370756b270.exe
Token: SeDebugPrivilege	2320	www.darkst.com

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2320	www.darkst.com

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2656	2320	www.darkst.com	29
PID 2320 wrote to memory of 2656	2320	www.darkst.com	29
PID 2320 wrote to memory of 2656	2320	www.darkst.com	29
PID 2320 wrote to memory of 2656	2320	www.darkst.com	29
PID 2112 wrote to memory of 2620	2112	01b9de3f9284ee1a6919b3370756b270.exe	30
PID 2112 wrote to memory of 2620	2112	01b9de3f9284ee1a6919b3370756b270.exe	30
PID 2112 wrote to memory of 2620	2112	01b9de3f9284ee1a6919b3370756b270.exe	30
PID 2112 wrote to memory of 2620	2112	01b9de3f9284ee1a6919b3370756b270.exe	30

C:\Users\Admin\AppData\Local\Temp\01b9de3f9284ee1a6919b3370756b270.exe
"C:\Users\Admin\AppData\Local\Temp\01b9de3f9284ee1a6919b3370756b270.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\DELME.BAT
  2⤵
  - Deletes itself
  PID:2620

C:\Windows\www.darkst.com
C:\Windows\www.darkst.com
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DELME.BAT

Filesize
190B

MD5
af845fc81a05c6474ff19261d7b4ac32

SHA1
530d78f0d526074a8baeff8205d9b51f62669f9c

SHA256
70b35482679a770aa09ba26607beadf8cfd35f56bcebb693ee1e9321a9b9be0a

SHA512
a11306748f78622a4770941dc0cf6490503203b8eae399520df45f0fa608b9f1e6ef5252b97784f50403651fd5f74120e08522cd58cf06a37ccb4bc6b1ea59a5

Download Submit
C:\Windows\www.darkst.com

Filesize
282KB

MD5
01b9de3f9284ee1a6919b3370756b270

SHA1
0adacd42662dc355710d63b459dd2c8f1c675e71

SHA256
71a884fa969d8fc6dbfe2bd731f9feeb5cc56c93530fa9220c01c6994ff64f89

SHA512
e65f5229d248df6db20e44138f1e2937c4d46759e8c18001aafb3e0816f50e6e9035fcab3eb68feb852e89139e41a84ea0215102102c87ef6be0b9a9889116c7

Download Submit
memory/2112-0-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2112-1-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2112-2-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2112-15-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2320-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2320-17-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2320-18-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2320-19-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2320-22-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download