46daced000b6acad577fe43ec7274213e2d709472fdc034b7380cfd495796b57

Analysis

max time kernel
151s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1747f703a6fa7a521cbea8cc866fd1a2.exe
Size

567KB
MD5

1747f703a6fa7a521cbea8cc866fd1a2
SHA1

7bb72225cd0b95f70bfad3f21c82dcedbbe968e3
SHA256

46daced000b6acad577fe43ec7274213e2d709472fdc034b7380cfd495796b57
SHA512

1b10d276833f58773e03c918d40e14f67f0d4d91d6558fe77462cf51131cc81ae9b374192b9b4e390c41e8d6dd130913b6240ccdf1a5810126b6c4971904ff8c
SSDEEP

12288:KqkKEfDarURDBRsouUbaLFC1HQo30veVk/wZeVCoe0:KVfeYDSjRGVk/2ef

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1968	DCOM Sev.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DCOM Sev.exe	1747f703a6fa7a521cbea8cc866fd1a2.exe
File created	C:\Windows\GUOCYOKl.BAT	1747f703a6fa7a521cbea8cc866fd1a2.exe
File created	C:\Windows\DCOM Sev.exe	1747f703a6fa7a521cbea8cc866fd1a2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3676	1747f703a6fa7a521cbea8cc866fd1a2.exe
Token: SeDebugPrivilege	1968	DCOM Sev.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1968	DCOM Sev.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3472	3676	1747f703a6fa7a521cbea8cc866fd1a2.exe	93
PID 3676 wrote to memory of 3472	3676	1747f703a6fa7a521cbea8cc866fd1a2.exe	93
PID 3676 wrote to memory of 3472	3676	1747f703a6fa7a521cbea8cc866fd1a2.exe	93

C:\Users\Admin\AppData\Local\Temp\1747f703a6fa7a521cbea8cc866fd1a2.exe
"C:\Users\Admin\AppData\Local\Temp\1747f703a6fa7a521cbea8cc866fd1a2.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GUOCYOKl.BAT
  2⤵
  PID:3472

C:\Windows\DCOM Sev.exe
"C:\Windows\DCOM Sev.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DCOM Sev.exe

Filesize
428KB

MD5
497a9f9bca56e5ca878d049b38061578

SHA1
5ef7231d2136ced85e128de7767615b614ddfcaf

SHA256
223ad62339fe693f659a9a7d69f8d6781e0e284dcd0e9d43c79181096dff8b69

SHA512
a0cdcbc101423c622353260ca6b6e5799c143f71dcd561aba1a115784596b02a4a77c564b971d19faeec341c60dbe89ee828e41a5f8df591bf2965dcacde9f0d

Download Submit
C:\Windows\DCOM Sev.exe

Filesize
401KB

MD5
aff39ca7472dea851fdefcf9c0f67a0f

SHA1
e8f4c87dffa9d80e041058d7f6498d72b204745e

SHA256
f2ad41ffea1ed59843ae6c34987aafb7956076a1525123c937f0e551a722b66d

SHA512
3a0e4dcc5a667f2b0b34b6173154bb8503eceb05de71ebf46e85d6ec1ae135c36ddd730c7d045ca0758b66e64a37eb56f7030effc372eac1bd1adac266c26c68

Download Submit
C:\Windows\GUOCYOKl.BAT

Filesize
192B

MD5
f4fffecbcce2f172e6b8c3f683eccc4f

SHA1
776641452902890bda9fe087c8692da3994a9b28

SHA256
e80ca15d14ea4694a6efaa881ad2b22080c501f35632245f11eeef13e337ba9a

SHA512
8c3dc6b233c1c245b1e90d5560ae48e239ff3e9a5feac1891083e8761337f7b69f23b169fd6ea47378f641956dc538414c472e4870f1c904f1810751ec9f23bf

Download Submit
memory/1968-28-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/1968-27-0x0000000001600000-0x0000000001700000-memory.dmp

Filesize
1024KB

Download
memory/1968-51-0x0000000000D70000-0x0000000000DBB000-memory.dmp

Filesize
300KB

Download
memory/1968-47-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/1968-49-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/1968-50-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1968-48-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/1968-44-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1968-46-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/1968-45-0x0000000001600000-0x0000000001700000-memory.dmp

Filesize
1024KB

Download
memory/1968-29-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/1968-30-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/1968-31-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/1968-38-0x0000000001650000-0x0000000001651000-memory.dmp

Filesize
4KB

Download
memory/1968-32-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1968-36-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1968-33-0x0000000001640000-0x0000000001641000-memory.dmp

Filesize
4KB

Download
memory/1968-34-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/1968-35-0x0000000001620000-0x0000000001621000-memory.dmp

Filesize
4KB

Download
memory/1968-37-0x0000000000D70000-0x0000000000DBB000-memory.dmp

Filesize
300KB

Download
memory/1968-26-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3676-5-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/3676-14-0x0000000002B00000-0x0000000002C00000-memory.dmp

Filesize
1024KB

Download
memory/3676-6-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3676-8-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3676-12-0x0000000002B00000-0x0000000002C00000-memory.dmp

Filesize
1024KB

Download
memory/3676-2-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3676-3-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3676-4-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3676-7-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3676-9-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3676-13-0x0000000002B00000-0x0000000002C00000-memory.dmp

Filesize
1024KB

Download
memory/3676-11-0x0000000002B00000-0x0000000002C00000-memory.dmp

Filesize
1024KB

Download
memory/3676-0-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3676-42-0x0000000002350000-0x000000000239B000-memory.dmp

Filesize
300KB

Download
memory/3676-41-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3676-1-0x0000000002350000-0x000000000239B000-memory.dmp

Filesize
300KB

Download
memory/3676-16-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3676-17-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3676-18-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/3676-19-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3676-21-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/3676-20-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/3676-15-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3676-10-0x0000000002A90000-0x0000000002A92000-memory.dmp

Filesize
8KB

Download