b4972ae67df4a75622a11cf5ebbaaf898d4755b6a6f86dd8cfccc140fa7039e5

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17868bf758cb6bb3a077b44a24b5235a.exe
Size

103KB
MD5

17868bf758cb6bb3a077b44a24b5235a
SHA1

a554dd9bb14d9abf1951b87f8fd90d6a3bef204d
SHA256

b4972ae67df4a75622a11cf5ebbaaf898d4755b6a6f86dd8cfccc140fa7039e5
SHA512

2d130c6a9986fc4e56450015b62dcbf0a2dc5f410ce1f968b6a1da282f6523c7258c6362b00a2f59db795753922d564b094c5cf8b44fd4c5fd7e6c76506b57ad
SSDEEP

768:+akLN9L/MxPloy+hXyiA2IRyblMrAf2QdL0Ws4nsegRzSzXadItTjpwtF2WSfGSb:YNKxtCX424eluABS4segRd6BwtFH56

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2396	17868bf758cb6bb3a077b44a24b5235a.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe
2396	17868bf758cb6bb3a077b44a24b5235a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	17868bf758cb6bb3a077b44a24b5235a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 388	2396	17868bf758cb6bb3a077b44a24b5235a.exe	5
PID 2396 wrote to memory of 388	2396	17868bf758cb6bb3a077b44a24b5235a.exe	5
PID 2396 wrote to memory of 388	2396	17868bf758cb6bb3a077b44a24b5235a.exe	5
PID 2396 wrote to memory of 388	2396	17868bf758cb6bb3a077b44a24b5235a.exe	5
PID 2396 wrote to memory of 388	2396	17868bf758cb6bb3a077b44a24b5235a.exe	5
PID 2396 wrote to memory of 388	2396	17868bf758cb6bb3a077b44a24b5235a.exe	5
PID 2396 wrote to memory of 388	2396	17868bf758cb6bb3a077b44a24b5235a.exe	5
PID 2396 wrote to memory of 400	2396	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 2396 wrote to memory of 400	2396	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 2396 wrote to memory of 400	2396	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 2396 wrote to memory of 400	2396	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 2396 wrote to memory of 400	2396	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 2396 wrote to memory of 400	2396	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 2396 wrote to memory of 400	2396	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 2396 wrote to memory of 436	2396	17868bf758cb6bb3a077b44a24b5235a.exe	3
PID 2396 wrote to memory of 436	2396	17868bf758cb6bb3a077b44a24b5235a.exe	3
PID 2396 wrote to memory of 436	2396	17868bf758cb6bb3a077b44a24b5235a.exe	3
PID 2396 wrote to memory of 436	2396	17868bf758cb6bb3a077b44a24b5235a.exe	3
PID 2396 wrote to memory of 436	2396	17868bf758cb6bb3a077b44a24b5235a.exe	3
PID 2396 wrote to memory of 436	2396	17868bf758cb6bb3a077b44a24b5235a.exe	3
PID 2396 wrote to memory of 436	2396	17868bf758cb6bb3a077b44a24b5235a.exe	3
PID 2396 wrote to memory of 480	2396	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 2396 wrote to memory of 480	2396	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 2396 wrote to memory of 480	2396	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 2396 wrote to memory of 480	2396	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 2396 wrote to memory of 480	2396	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 2396 wrote to memory of 480	2396	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 2396 wrote to memory of 480	2396	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 2396 wrote to memory of 496	2396	17868bf758cb6bb3a077b44a24b5235a.exe	1
PID 2396 wrote to memory of 496	2396	17868bf758cb6bb3a077b44a24b5235a.exe	1
PID 2396 wrote to memory of 496	2396	17868bf758cb6bb3a077b44a24b5235a.exe	1
PID 2396 wrote to memory of 496	2396	17868bf758cb6bb3a077b44a24b5235a.exe	1
PID 2396 wrote to memory of 496	2396	17868bf758cb6bb3a077b44a24b5235a.exe	1
PID 2396 wrote to memory of 496	2396	17868bf758cb6bb3a077b44a24b5235a.exe	1
PID 2396 wrote to memory of 496	2396	17868bf758cb6bb3a077b44a24b5235a.exe	1
PID 2396 wrote to memory of 504	2396	17868bf758cb6bb3a077b44a24b5235a.exe	25
PID 2396 wrote to memory of 504	2396	17868bf758cb6bb3a077b44a24b5235a.exe	25
PID 2396 wrote to memory of 504	2396	17868bf758cb6bb3a077b44a24b5235a.exe	25
PID 2396 wrote to memory of 504	2396	17868bf758cb6bb3a077b44a24b5235a.exe	25
PID 2396 wrote to memory of 504	2396	17868bf758cb6bb3a077b44a24b5235a.exe	25
PID 2396 wrote to memory of 504	2396	17868bf758cb6bb3a077b44a24b5235a.exe	25
PID 2396 wrote to memory of 504	2396	17868bf758cb6bb3a077b44a24b5235a.exe	25
PID 2396 wrote to memory of 616	2396	17868bf758cb6bb3a077b44a24b5235a.exe	7
PID 2396 wrote to memory of 616	2396	17868bf758cb6bb3a077b44a24b5235a.exe	7
PID 2396 wrote to memory of 616	2396	17868bf758cb6bb3a077b44a24b5235a.exe	7
PID 2396 wrote to memory of 616	2396	17868bf758cb6bb3a077b44a24b5235a.exe	7
PID 2396 wrote to memory of 616	2396	17868bf758cb6bb3a077b44a24b5235a.exe	7
PID 2396 wrote to memory of 616	2396	17868bf758cb6bb3a077b44a24b5235a.exe	7
PID 2396 wrote to memory of 616	2396	17868bf758cb6bb3a077b44a24b5235a.exe	7
PID 2396 wrote to memory of 684	2396	17868bf758cb6bb3a077b44a24b5235a.exe	24
PID 2396 wrote to memory of 684	2396	17868bf758cb6bb3a077b44a24b5235a.exe	24
PID 2396 wrote to memory of 684	2396	17868bf758cb6bb3a077b44a24b5235a.exe	24
PID 2396 wrote to memory of 684	2396	17868bf758cb6bb3a077b44a24b5235a.exe	24
PID 2396 wrote to memory of 684	2396	17868bf758cb6bb3a077b44a24b5235a.exe	24
PID 2396 wrote to memory of 684	2396	17868bf758cb6bb3a077b44a24b5235a.exe	24
PID 2396 wrote to memory of 684	2396	17868bf758cb6bb3a077b44a24b5235a.exe	24
PID 2396 wrote to memory of 768	2396	17868bf758cb6bb3a077b44a24b5235a.exe	23
PID 2396 wrote to memory of 768	2396	17868bf758cb6bb3a077b44a24b5235a.exe	23
PID 2396 wrote to memory of 768	2396	17868bf758cb6bb3a077b44a24b5235a.exe	23
PID 2396 wrote to memory of 768	2396	17868bf758cb6bb3a077b44a24b5235a.exe	23
PID 2396 wrote to memory of 768	2396	17868bf758cb6bb3a077b44a24b5235a.exe	23
PID 2396 wrote to memory of 768	2396	17868bf758cb6bb3a077b44a24b5235a.exe	23
PID 2396 wrote to memory of 768	2396	17868bf758cb6bb3a077b44a24b5235a.exe	23
PID 2396 wrote to memory of 832	2396	17868bf758cb6bb3a077b44a24b5235a.exe	22

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:496

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:616
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1980
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1248
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2108
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2268
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1040
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:308
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:356
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:1012
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:860
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:832
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:768
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:684

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:400

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:388
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\17868bf758cb6bb3a077b44a24b5235a.exe
  "C:\Users\Admin\AppData\Local\Temp\17868bf758cb6bb3a077b44a24b5235a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2396-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2396-2-0x0000000077AD0000-0x0000000077AD1000-memory.dmp

Filesize
4KB

Download
memory/2396-1-0x0000000077ACF000-0x0000000077AD0000-memory.dmp

Filesize
4KB

Download
memory/2396-3-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download