f13435bb566e456dc5d9c2729070516be128d0c85cdf774b8a03922978c30571

Analysis

max time kernel
32s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0be1543281284a538e86056bc7627e9f.exe
Size

1.5MB
MD5

0be1543281284a538e86056bc7627e9f
SHA1

e2b98ebce9fd5a686b6625c053b86ba2886c10f2
SHA256

f13435bb566e456dc5d9c2729070516be128d0c85cdf774b8a03922978c30571
SHA512

7d4821dbb7696ddf88c1a2ae0949924e730cce4a43eb8e18ba1c187f75b1aad3c90e2acde11d069f909da7179459365c3c20be43cda546da0c9142436dcc5b8c
SSDEEP

49152:6c/56UhQmL9C1qwgCgdDGP+dC7xr3bvdT:6c/5e71qwgCglGP+6vdT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2664	winsyst32x2.exe
1784	winsyst32x2.exe
2284	winsyst32x2.exe
2432	winsyst32x2.exe
2116	winsyst32x2.exe

Loads dropped DLL 10 IoCs

pid	Process
3068	0be1543281284a538e86056bc7627e9f.exe
3068	0be1543281284a538e86056bc7627e9f.exe
2664	winsyst32x2.exe
2664	winsyst32x2.exe
1784	Process not Found
1784	Process not Found
2284	winsyst32x2.exe
2284	winsyst32x2.exe
2432	winsyst32x2.exe
2432	winsyst32x2.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\modexspx.exe	0be1543281284a538e86056bc7627e9f.exe
File created	\??\c:\windows\SysWOW64\winsyst32x2.exe	winsyst32x2.exe
File opened for modification	\??\c:\windows\SysWOW64\modexspx.exe	Process not Found
File opened for modification	\??\c:\windows\SysWOW64\modexspx.exe	winsyst32x2.exe
File opened for modification	\??\c:\windows\SysWOW64\modexspx.exe	winsyst32x2.exe
File opened for modification	\??\c:\windows\SysWOW64\modexspx.exe	0be1543281284a538e86056bc7627e9f.exe
File created	\??\c:\windows\SysWOW64\winsyst32x2.exe	0be1543281284a538e86056bc7627e9f.exe
File opened for modification	\??\c:\windows\SysWOW64\modexspx.exe	winsyst32x2.exe
File created	\??\c:\windows\SysWOW64\winsyst32x2.exe	Process not Found
File created	\??\c:\windows\SysWOW64\winsyst32x2.exe	winsyst32x2.exe
File created	\??\c:\windows\SysWOW64\winsyst32x2.exe	winsyst32x2.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3068	0be1543281284a538e86056bc7627e9f.exe
3068	0be1543281284a538e86056bc7627e9f.exe
2664	winsyst32x2.exe
2664	winsyst32x2.exe
1784	winsyst32x2.exe
1784	Process not Found
1784	Process not Found
2284	winsyst32x2.exe
2284	winsyst32x2.exe
2284	winsyst32x2.exe
2432	winsyst32x2.exe
2432	winsyst32x2.exe
2432	winsyst32x2.exe
2116	winsyst32x2.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	0be1543281284a538e86056bc7627e9f.exe
Token: SeDebugPrivilege	3068	0be1543281284a538e86056bc7627e9f.exe
Token: SeDebugPrivilege	2664	winsyst32x2.exe
Token: SeDebugPrivilege	2664	winsyst32x2.exe
Token: SeDebugPrivilege	1784	Process not Found
Token: SeDebugPrivilege	1784	Process not Found
Token: SeDebugPrivilege	2284	winsyst32x2.exe
Token: SeDebugPrivilege	2284	winsyst32x2.exe
Token: SeDebugPrivilege	2432	winsyst32x2.exe
Token: SeDebugPrivilege	2432	winsyst32x2.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2664	3068	0be1543281284a538e86056bc7627e9f.exe	28
PID 3068 wrote to memory of 2664	3068	0be1543281284a538e86056bc7627e9f.exe	28
PID 3068 wrote to memory of 2664	3068	0be1543281284a538e86056bc7627e9f.exe	28
PID 3068 wrote to memory of 2664	3068	0be1543281284a538e86056bc7627e9f.exe	28
PID 2664 wrote to memory of 1784	2664	winsyst32x2.exe	29
PID 2664 wrote to memory of 1784	2664	winsyst32x2.exe	29
PID 2664 wrote to memory of 1784	2664	winsyst32x2.exe	29
PID 2664 wrote to memory of 1784	2664	winsyst32x2.exe	29
PID 1784 wrote to memory of 2284	1784	Process not Found	30
PID 1784 wrote to memory of 2284	1784	Process not Found	30
PID 1784 wrote to memory of 2284	1784	Process not Found	30
PID 1784 wrote to memory of 2284	1784	Process not Found	30
PID 2284 wrote to memory of 2432	2284	winsyst32x2.exe	31
PID 2284 wrote to memory of 2432	2284	winsyst32x2.exe	31
PID 2284 wrote to memory of 2432	2284	winsyst32x2.exe	31
PID 2284 wrote to memory of 2432	2284	winsyst32x2.exe	31
PID 2432 wrote to memory of 2116	2432	winsyst32x2.exe	32
PID 2432 wrote to memory of 2116	2432	winsyst32x2.exe	32
PID 2432 wrote to memory of 2116	2432	winsyst32x2.exe	32
PID 2432 wrote to memory of 2116	2432	winsyst32x2.exe	32

C:\Users\Admin\AppData\Local\Temp\0be1543281284a538e86056bc7627e9f.exe
"C:\Users\Admin\AppData\Local\Temp\0be1543281284a538e86056bc7627e9f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- \??\c:\windows\SysWOW64\winsyst32x2.exe
  "c:\windows\system32\winsyst32x2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - \??\c:\windows\SysWOW64\winsyst32x2.exe
    "c:\windows\system32\winsyst32x2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1784
  - - \??\c:\windows\SysWOW64\winsyst32x2.exe
      "c:\windows\system32\winsyst32x2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2284
    - - \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        7⤵
        
        PID:2932
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        8⤵
        
        PID:1436
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        9⤵
        
        PID:2108
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        10⤵
        
        PID:2324
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        11⤵
        
        PID:1376
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        12⤵
        
        PID:2060
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        13⤵
        
        PID:2864
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        14⤵
        
        PID:1828
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        15⤵
        
        PID:2836
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        16⤵
        
        PID:1868
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        17⤵
        
        PID:2324
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        18⤵
        
        PID:1956
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        19⤵
        
        PID:1984
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        20⤵
        
        PID:1580
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        21⤵
        
        PID:2160
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        22⤵
        
        PID:2836
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        23⤵
        
        PID:1720
        
        \??\c:\windows\SysWOW64\winsyst32x2.exe
        
        "c:\windows\system32\winsyst32x2.exe"
        24⤵
        
        PID:2356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winsyst32x2.exe

Filesize
1024KB

MD5
4012b4a8bd2a2100ebb46aec4005823a

SHA1
9aa2edfa1f64a437e65722f0ceca2bd5345b6779

SHA256
ff2b7e948ff468a3e427daf31e655916c0b0f01b4aa88021003868b65f4eef2c

SHA512
306adb17670c7527d92265b686a5f2a68e4422b0189ccb369ce02c9737f8f3395e908efed45fb33ba80b5261dd9e4e0ea6279f95dd566d21488b34d6057c2802

Download Submit
\??\c:\windows\SysWOW64\modexspx.exe

Filesize
381KB

MD5
6ccb7344cdb7d079771b97478d14c1a9

SHA1
fa59bcdb6dae2b4979c83b6731cf8f6c347aaab0

SHA256
aacfb110d7fe0a0f735f5a65005e1049e052bc339eb36445af670ff1f5c1cd3c

SHA512
e5abb3d8c2fdeeecae7d47c8b11b4e16fdd79074c573c2d860fbd52d4bc9fb3f4194499de50c97982c78e0940d99209726656d70c6a1e8f27a547230cc27fd5e

Download Submit
\??\c:\windows\SysWOW64\winsyst32x2.exe

Filesize
856KB

MD5
909ef11a8c4d2122125fcb169c576b42

SHA1
91751a245329353a7e58007640e5a31a29b4442d

SHA256
c56883c7a2efd467f3d7a48c86ef8c602c9cc60d4782ec6ed89f665c7d5f60a7

SHA512
ada4ecf57a161f16c425985d93d2953a3e2bcc1b72cb7855af7d369ffc38f4137bc0a48b439469cf33931bec5ad9149a6566ff345466b76bd3c3e254df94441b

Download Submit
\Windows\SysWOW64\winsyst32x2.exe

Filesize
1.0MB

MD5
3e265083a951b0a1b92f4cfefc4a5c76

SHA1
035d698612d52e09df3502053ddf052071157e05

SHA256
89da55fb13596d4b94f75a7215a95d7ea479b5d8a9690cd3c4ecaa8b11bf0187

SHA512
55cf4512417f8415ca1f17010d2be192f32f2dbdd31cea9baabb3c5ad6093743b06aea637fccd7791175c34060ce9e4402e78dc1c055c57d7d413e1df7e8cf7f

Download Submit
\Windows\SysWOW64\winsyst32x2.exe

Filesize
1.1MB

MD5
77383fb72cc134693ecaa011605333ef

SHA1
068f44e65d76b1cf26c01dd2e63a9bbbcc75f60c

SHA256
67ca9ff2a2e1ddb35f9fc19c68cbaf10bb0e2a1f7f1ceab63812701706b6e766

SHA512
f65c8f29381df97cde6d33151937b97f910609cc121d820d7fbf0e56b34f87b46cb1d3e0434c6375a10284bf721806660cedec895870b8d4088a6166aa935aed

Download Submit
memory/1376-371-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/1436-270-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/1580-598-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/1720-661-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/1784-82-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/1784-81-0x00000000044D0000-0x00000000044D2000-memory.dmp

Filesize
8KB

Download
memory/1784-76-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/1784-80-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/1784-69-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1784-79-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/1784-78-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/1784-77-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/1784-104-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/1784-71-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/1784-72-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/1784-75-0x00000000043E0000-0x00000000043E2000-memory.dmp

Filesize
8KB

Download
memory/1828-418-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/1868-484-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/1956-543-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/1984-570-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2060-379-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2108-303-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2116-203-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2160-600-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2284-137-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2324-338-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2324-513-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2432-168-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2664-49-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/2664-47-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/2664-60-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/2664-59-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/2664-58-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/2664-57-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/2664-56-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/2664-55-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/2664-54-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/2664-53-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/2664-52-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/2664-51-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/2664-50-0x0000000004520000-0x0000000004522000-memory.dmp

Filesize
8KB

Download
memory/2664-61-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/2664-48-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/2664-70-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2664-46-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/2664-45-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/2664-44-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2664-43-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/2664-42-0x00000000042A0000-0x00000000042A2000-memory.dmp

Filesize
8KB

Download
memory/2664-41-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/2664-62-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/2664-35-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2664-63-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/2664-64-0x0000000004750000-0x0000000004752000-memory.dmp

Filesize
8KB

Download
memory/2664-68-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/2664-40-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2836-453-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2836-631-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2864-385-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2932-237-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/3068-2-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/3068-7-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/3068-8-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/3068-9-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/3068-10-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/3068-6-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/3068-11-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/3068-12-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/3068-13-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/3068-14-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/3068-5-0x00000000043E0000-0x00000000043E2000-memory.dmp

Filesize
8KB

Download
memory/3068-15-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/3068-16-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/3068-17-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/3068-18-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/3068-19-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/3068-4-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/3068-20-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/3068-37-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/3068-21-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/3068-22-0x0000000004780000-0x0000000004782000-memory.dmp

Filesize
8KB

Download
memory/3068-23-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/3068-24-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/3068-25-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/3068-26-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x00000000002E0000-0x00000000003C7000-memory.dmp

Filesize
924KB

Download
memory/3068-0-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download