c032e7355a59c268614cb55ebe3d4c83dc3e75929bf62f7d2e18c895cad64af5

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HOTFIX/KB842773.exe
Size

725KB
MD5

6efc8240302b4cfe1fdd0a990852581d
SHA1

045e580d1d4f3009955746d315d5e1681809950c
SHA256

1e05f13490a252dd34b4ca73e40432968f4b634b4cae5a4653a0debc47995f5b
SHA512

f7c0dde227199051d9757b32e7b72712ce29ff7a76b120d4bc844ccacc2ddbfcbb2410d5b729475894ef552fe046c42b95aef584c3ca0458fed223ed957acfab
SSDEEP

12288:lGfimaK9/vCq6YDOTZ2J8Giq/4OC+leGZOjLOl76WdOBmFkwWX/MmbCU:l4iY9/vCzbsoqAB+kGZOfO1fOMFkwWXX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2808	UPDATE.EXE

Loads dropped DLL 5 IoCs

pid	Process
2336	KB842773.exe
2336	KB842773.exe
2808	UPDATE.EXE
2808	UPDATE.EXE
2808	UPDATE.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupapi.log	UPDATE.EXE
File opened for modification	C:\Windows\KB842773.log	UPDATE.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	2808	UPDATE.EXE
Token: SeRestorePrivilege	2808	UPDATE.EXE
Token: SeRestorePrivilege	2808	UPDATE.EXE
Token: SeRestorePrivilege	2808	UPDATE.EXE
Token: SeRestorePrivilege	2808	UPDATE.EXE
Token: SeRestorePrivilege	2808	UPDATE.EXE
Token: SeRestorePrivilege	2808	UPDATE.EXE
Token: SeBackupPrivilege	2808	UPDATE.EXE
Token: SeRestorePrivilege	2808	UPDATE.EXE
Token: SeShutdownPrivilege	2808	UPDATE.EXE
Token: SeSecurityPrivilege	2808	UPDATE.EXE
Token: SeTakeOwnershipPrivilege	2808	UPDATE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2808	2336	KB842773.exe	28
PID 2336 wrote to memory of 2808	2336	KB842773.exe	28
PID 2336 wrote to memory of 2808	2336	KB842773.exe	28
PID 2336 wrote to memory of 2808	2336	KB842773.exe	28
PID 2336 wrote to memory of 2808	2336	KB842773.exe	28
PID 2336 wrote to memory of 2808	2336	KB842773.exe	28
PID 2336 wrote to memory of 2808	2336	KB842773.exe	28

C:\Users\Admin\AppData\Local\Temp\HOTFIX\KB842773.exe
"C:\Users\Admin\AppData\Local\Temp\HOTFIX\KB842773.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336
- \??\c:\258c0be8793935c453a65b803b4e\update\UPDATE.EXE
  c:\258c0be8793935c453a65b803b4e\update\UPDATE.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\258c0be8793935c453a65b803b4e\update\update.exe

Filesize
239KB

MD5
843426a4dbb9fc2e8d9884e57fe9608e

SHA1
07d513bae27158d5f0d7aa8baf591b05a3b78ecf

SHA256
2de5324a29890fb9cdcb2568de7269448d2a2ce106b6f416b4eba24eb884ca89

SHA512
284aadd0f25d30303ef722487ad03c90325dfcf3e554709c3b7868da45807d2dec92bb4379b4daccee4450a25325fab6231260e9e5f1b217db59595ae528dbef

Download Submit
\258c0be8793935c453a65b803b4e\_sfx_.dll

Filesize
25KB

MD5
ee207e35aea4d5df41d90221e1b66efa

SHA1
757469cf9ad2f21f267bbe730560114fdf8a89a5

SHA256
cf64c95e9a2d02967efc22b00efb3736156b913a95231eb63c1df45d43475e64

SHA512
43e9f75725daa4f3428b2d9cee2c2cc8b2f2e991b8e58d72d2f429fbdfb614c86d172f03d3f9da98756bd4e245643d9a57c6efa422d6c60ad364a2322245542d

Download Submit
\258c0be8793935c453a65b803b4e\update\update.exe

Filesize
284KB

MD5
ac3fb971ba75668a7d135d0cbeaab215

SHA1
22cff91ceeab074b6e8db3c787baf08103e76b82

SHA256
499bf114295f7ae8fac25beb73f7d2ddb1730e6aff56de19052cbac309a86b45

SHA512
291473722c2f28b40d26751c641faadc6d732b7c833f83d5c70ab07911bea5d975431567bfad406452a388d5beba2bf3eca19df2f394cc2040233a319a3195bb

Download Submit
\258c0be8793935c453a65b803b4e\update\update.exe

Filesize
223KB

MD5
7700f924f68e88156113c4f1841278c4

SHA1
067c1a65fe6c3c0f59173cd004a7b7bb2a07ce87

SHA256
2bb557b0e3a8868fee7ebfa8c02f06590462ecdf1394e10cd330f588a8c4fd0a

SHA512
c600324ca757d0104a42e5d19167ff584cce46c27b890ad06c0dc837388b161e9cb98312c964d4711a97df5416f0578ed2860d1674e3e502ff47f28124ec24fe

Download Submit
\258c0be8793935c453a65b803b4e\update\update.exe

Filesize
289KB

MD5
d3aea828d9cb2713d8a70aaf291792e5

SHA1
5cabcf83f747ba1efb641e88c215d3d8749f6356

SHA256
faaf7ec74bb840439cffd7760d67287b7b3a75ee25e49af00cf7da97cdc331ca

SHA512
93c8f8640ea105527f53b7a6eb3ecd8cfea62b35e0853982ca415266ecc869bfec67dde19edd913bb7ec7de3b8593b308626d9f570a1aa5f59764ca0a363404c

Download Submit
\258c0be8793935c453a65b803b4e\update\update.exe

Filesize
34KB

MD5
774843eb486b32d1acd19d1c39f98b76

SHA1
e3000a8a15bf55744b4730e25b828908f62e8e68

SHA256
3765ffb2f3ba1dcb6a44f7b370c30dc5bff9eaa673d5d94642e28e6d69d7c093

SHA512
e96dea9eb07411cf0e63199a81fb958e6398f502e3afaee9b463e87c9065be13a00aa3527fdaf2cb3a46eb4c4444c2e076256684bc0d278075ee563c4625dd77

Download Submit