21082cfdba03f866b429a1f43211312ae3abf95aa686c22d7b1702877888f82f

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 12:07

Target

180b4bff39bee958c2c4edd88d8570d1.exe
Size

743KB
MD5

180b4bff39bee958c2c4edd88d8570d1
SHA1

3edc1acd06ea006331be9ba423074c2a96f2255b
SHA256

21082cfdba03f866b429a1f43211312ae3abf95aa686c22d7b1702877888f82f
SHA512

9f0b2ccf81c05b81887e868a6b6a1c047bfd24d07548633da3943ca89f1dd384bfd4fa4ae0956380e556ebce46f89cad090df42f2ce4c93fad497f351d2ce190
SSDEEP

12288:ARn8S++U4u/n/80dW5A0zyo6JwQ5oAlK+GPHvZJIkDBQQ52LYRg08yPwDREz:k8MU4ufxdW5A2mJr/kNHv/IkDN3Y

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2540	awsed.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\awsed.exe	180b4bff39bee958c2c4edd88d8570d1.exe
File opened for modification	C:\Windows\awsed.exe	180b4bff39bee958c2c4edd88d8570d1.exe
File created	C:\Windows\61642520.BAT	180b4bff39bee958c2c4edd88d8570d1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	180b4bff39bee958c2c4edd88d8570d1.exe
Token: SeDebugPrivilege	2540	awsed.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2540	awsed.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2724	2540	awsed.exe	29
PID 2540 wrote to memory of 2724	2540	awsed.exe	29
PID 2540 wrote to memory of 2724	2540	awsed.exe	29
PID 2540 wrote to memory of 2724	2540	awsed.exe	29
PID 2008 wrote to memory of 2720	2008	180b4bff39bee958c2c4edd88d8570d1.exe	30
PID 2008 wrote to memory of 2720	2008	180b4bff39bee958c2c4edd88d8570d1.exe	30
PID 2008 wrote to memory of 2720	2008	180b4bff39bee958c2c4edd88d8570d1.exe	30
PID 2008 wrote to memory of 2720	2008	180b4bff39bee958c2c4edd88d8570d1.exe	30

C:\Users\Admin\AppData\Local\Temp\180b4bff39bee958c2c4edd88d8570d1.exe
"C:\Users\Admin\AppData\Local\Temp\180b4bff39bee958c2c4edd88d8570d1.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\61642520.BAT
  2⤵
  - Deletes itself
  PID:2720

C:\Windows\awsed.exe
C:\Windows\awsed.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2724

C:\Windows\61642520.BAT

Filesize
190B

MD5
53ff3011577a99f79373578921368b11

SHA1
66ae08a73aa4342b08c857bbb56a4ac73edf86ed

SHA256
3fe632632e3007f4dc1d7605a420c3dc49b238bcf7f49c9e5cad285d3cef2afa

SHA512
7200b122040ec176b76a2bb27a9a4834ec3cb41659cc051177d8100b7c5397fe98c519e7287cc2c9e5bb84a86f15ca11348e693fcf410cc681738f944b469f5d

Download Submit
C:\Windows\awsed.exe

Filesize
743KB

MD5
180b4bff39bee958c2c4edd88d8570d1

SHA1
3edc1acd06ea006331be9ba423074c2a96f2255b

SHA256
21082cfdba03f866b429a1f43211312ae3abf95aa686c22d7b1702877888f82f

SHA512
9f0b2ccf81c05b81887e868a6b6a1c047bfd24d07548633da3943ca89f1dd384bfd4fa4ae0956380e556ebce46f89cad090df42f2ce4c93fad497f351d2ce190

Download Submit
memory/2008-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2008-13-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2540-12-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2540-15-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2540-16-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2540-17-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2540-21-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download