f86019866491a4fdfc560662076b93fd4aa1909bcef4b0934be03b5ed4bb1c44

Analysis

max time kernel
126s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:40

Target

08ce47d9b519cb199e21182b7c4294c2.exe
Size

17KB
MD5

08ce47d9b519cb199e21182b7c4294c2
SHA1

2c0b5bbf8cd4ba1dc933af105560375f68a487e8
SHA256

f86019866491a4fdfc560662076b93fd4aa1909bcef4b0934be03b5ed4bb1c44
SHA512

73b28afdfeb0fe8bce6e5e540288104f8edce89632936d0157ca01981602e67e1a27d718c87b50e9a3ec087f71498674b5e8c5a0aeac67ed2a13f984edf5ac7d
SSDEEP

384:a2qY3lXhGG2cjisVGzE6iOe8ZNZojKIngFrZ7gqLDyN:a2qOlXh3f5VGzhiOeGajKIQ71DyN

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1556	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2268	08ce47d9b519cb199e21182b7c4294c2.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qdshm.dll	08ce47d9b519cb199e21182b7c4294c2.exe
File opened for modification	C:\Windows\SysWOW64\addrzthelp.cfg	08ce47d9b519cb199e21182b7c4294c2.exe
File opened for modification	C:\Windows\SysWOW64\addrzthelp.dll	08ce47d9b519cb199e21182b7c4294c2.exe
File created	C:\Windows\SysWOW64\addrzthelp.dll	08ce47d9b519cb199e21182b7c4294c2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2268	08ce47d9b519cb199e21182b7c4294c2.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2268	08ce47d9b519cb199e21182b7c4294c2.exe
468	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2268	08ce47d9b519cb199e21182b7c4294c2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1556	2268	08ce47d9b519cb199e21182b7c4294c2.exe	29
PID 2268 wrote to memory of 1556	2268	08ce47d9b519cb199e21182b7c4294c2.exe	29
PID 2268 wrote to memory of 1556	2268	08ce47d9b519cb199e21182b7c4294c2.exe	29
PID 2268 wrote to memory of 1556	2268	08ce47d9b519cb199e21182b7c4294c2.exe	29

C:\Users\Admin\AppData\Local\Temp\08ce47d9b519cb199e21182b7c4294c2.exe
"C:\Users\Admin\AppData\Local\Temp\08ce47d9b519cb199e21182b7c4294c2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\08ce47d9b519cb199e21182b7c4294c2.exe"
  2⤵
  - Deletes itself
  PID:1556

\Windows\SysWOW64\qdshm.dll

Filesize
9KB

MD5
46413212335b1ed65ad89b90c549bde5

SHA1
2f78dac8ca04c5322b8830a7b4261474d47d94b9

SHA256
605516d2bee1cf72660d0f5f082766310a66447724117303eabb2d4673222ddd

SHA512
da95ca73e6bd5c6474205ccd87f78b3833a2bfc594cb168d68e8890020f905b91539fb40a360dafcae95590a8e557148ef08a2585a9f7e9f449b671b8a356a75

Download Submit