6bb81c3f04523c87b00e700e9c1dfde2149db4684c44e1f7ec39aaa88e5531be

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 20:13

Target

02b53d6d01c1b03b1f8ef204f51f28da.exe
Size

14KB
MD5

02b53d6d01c1b03b1f8ef204f51f28da
SHA1

a113dd0581484fa2824c8b611f034672c35050c8
SHA256

6bb81c3f04523c87b00e700e9c1dfde2149db4684c44e1f7ec39aaa88e5531be
SHA512

37d6ec05e9950e3cc4519cb9e54c74bb8ad49ea33234b7e8de183743b663cb51430bbbb69c3ed7efbb87d54423fc02521f8d45db452ddd069b11cdc41bd52c00
SSDEEP

192:wxEDzU6qx7KO5cXARi/cjgE58iSwpkHBh7Cyy3XD8ORZeZAZnDiLee43/3Joq/cs:pkpxO5XAkASwpkHFy3BRN2LVK5oEy5E

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
3056	02b53d6d01c1b03b1f8ef204f51f28da.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\oqrthc.cfg	02b53d6d01c1b03b1f8ef204f51f28da.exe
File opened for modification	C:\Windows\SysWOW64\oqrthc.dll	02b53d6d01c1b03b1f8ef204f51f28da.exe
File created	C:\Windows\SysWOW64\oqrthc.dll	02b53d6d01c1b03b1f8ef204f51f28da.exe
File created	C:\Windows\SysWOW64\msepbe.dll	02b53d6d01c1b03b1f8ef204f51f28da.exe
File opened for modification	C:\Windows\SysWOW64\msepbe.dll	02b53d6d01c1b03b1f8ef204f51f28da.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	02b53d6d01c1b03b1f8ef204f51f28da.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 1072	3056	02b53d6d01c1b03b1f8ef204f51f28da.exe	19
PID 3056 wrote to memory of 2684	3056	02b53d6d01c1b03b1f8ef204f51f28da.exe	29
PID 3056 wrote to memory of 2684	3056	02b53d6d01c1b03b1f8ef204f51f28da.exe	29
PID 3056 wrote to memory of 2684	3056	02b53d6d01c1b03b1f8ef204f51f28da.exe	29
PID 3056 wrote to memory of 2684	3056	02b53d6d01c1b03b1f8ef204f51f28da.exe	29

C:\Users\Admin\AppData\Local\Temp\02b53d6d01c1b03b1f8ef204f51f28da.exe
"C:\Users\Admin\AppData\Local\Temp\02b53d6d01c1b03b1f8ef204f51f28da.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\02b53d6d01c1b03b1f8ef204f51f28da.exe"
  2⤵
  - Deletes itself
  PID:2684

\Windows\SysWOW64\oqrthc.dll

Filesize
11KB

MD5
7d3841b33b6a439b49c50c42e3582ea6

SHA1
314bdce4176bc45cb654de8d438182b0a29e7cb6

SHA256
1167f396274e9d67a5fc199b61049d2d55c829ba32b0b0b2b5bee10c0fb74cc9

SHA512
3d3baa0013d8a1d8014391d71d304e50ebd0cb1b82a0678072d9dca46fae6f12e95e09b70e96e98b6529b60b093808258a0d82492b55afa4fa1394c4a04a909d

Download Submit
memory/1072-12-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/3056-11-0x000000000F000000-0x000000000F015000-memory.dmp

Filesize
84KB

Download