082c3ddd0394e13c889cc8f0d7d6c78625809b17515d135b6a78970609f641bc

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 01:22

Target

09f6959fbe42bc983bf89c5f68a15a90.exe
Size

699KB
MD5

09f6959fbe42bc983bf89c5f68a15a90
SHA1

19ddc7d71ee8455e8e9f6b6f088848bbb1a1bdbd
SHA256

082c3ddd0394e13c889cc8f0d7d6c78625809b17515d135b6a78970609f641bc
SHA512

81646d0f7a9b0f9a0aec6be4f9d1e580d40fd5d299a5d6ec7fa538f09e6278c204dcfd8882f61aa3340e3ad548c35304b8d6fb49c4187bd4b51254df4dc40de4
SSDEEP

12288:8PgnsBU8bTgrYhoW5As6mDvpQ5riKvXhvnZozqgR85F0B4Gcv75:q3nTgmoW5As1OMehvZozqC4/d

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3476	Ravscc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Ravscc.DLL	Ravscc.exe
File created	C:\Windows\Ravscc.exe	09f6959fbe42bc983bf89c5f68a15a90.exe
File opened for modification	C:\Windows\Ravscc.exe	09f6959fbe42bc983bf89c5f68a15a90.exe
File created	C:\Windows\Ravscc.DLL	Ravscc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3476	Ravscc.exe
3476	Ravscc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	Ravscc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 4084	228	09f6959fbe42bc983bf89c5f68a15a90.exe	52
PID 228 wrote to memory of 4084	228	09f6959fbe42bc983bf89c5f68a15a90.exe	52
PID 228 wrote to memory of 4084	228	09f6959fbe42bc983bf89c5f68a15a90.exe	52
PID 3476 wrote to memory of 616	3476	Ravscc.exe	5

C:\Users\Admin\AppData\Local\Temp\09f6959fbe42bc983bf89c5f68a15a90.exe
"C:\Users\Admin\AppData\Local\Temp\09f6959fbe42bc983bf89c5f68a15a90.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\uninstal.bat
  2⤵
  PID:4084

C:\Windows\Ravscc.exe

Filesize
699KB

MD5
09f6959fbe42bc983bf89c5f68a15a90

SHA1
19ddc7d71ee8455e8e9f6b6f088848bbb1a1bdbd

SHA256
082c3ddd0394e13c889cc8f0d7d6c78625809b17515d135b6a78970609f641bc

SHA512
81646d0f7a9b0f9a0aec6be4f9d1e580d40fd5d299a5d6ec7fa538f09e6278c204dcfd8882f61aa3340e3ad548c35304b8d6fb49c4187bd4b51254df4dc40de4

Download Submit
C:\Windows\Ravscc.exe

Filesize
389KB

MD5
4c3e52662cc3d213855026a965a6bf54

SHA1
7b4073d31377a432493d0f8c4405fa8b3e59dcbc

SHA256
1513641dbd48c5ed71246470070b21a632e56b98544e688c4ad001cb27e44367

SHA512
c8dfe0c78f905265fa0ccf04156a75627efac13f625feca3f41dddfa162510d07cd46cb6c0bb5b90ed511e094a61a6a7e3f6455a4389b6daf063a6c29edf48ce

Download Submit
C:\uninstal.bat

Filesize
190B

MD5
6283e8bdefd4b8e13029df5996c6a3ae

SHA1
50750fb159ae585faee4c68890389a4737c5d5b9

SHA256
437a15c0b15e1e8cf49ad5d76b8baa18ea6fb6f639375b51cfa39eaae30f8a31

SHA512
5acdb7072e41758782661b346c07c46abf9453ab1d4ac01e8bf43244bb2039a06f0db128386b5fc6ab1b5e53ab851be8c8396abcc5f89d34cff6b5db124e97cc

Download Submit
memory/228-8-0x0000000013140000-0x00000000131F4000-memory.dmp

Filesize
720KB

Download
memory/3476-10-0x0000000013140000-0x00000000131F4000-memory.dmp

Filesize
720KB

Download