1487cdff4d4cfd0362b13f34d910e8443bbf07c2a3f631d92d0c984b16f0d7ae

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b6fc925045eafaf7b17b02e7f837fac.exe
Size

280KB
MD5

1b6fc925045eafaf7b17b02e7f837fac
SHA1

93d078f73a0d2a87aa86c37332dca3fb3d363f2a
SHA256

1487cdff4d4cfd0362b13f34d910e8443bbf07c2a3f631d92d0c984b16f0d7ae
SHA512

93df6b56dbf45f0ea967fc7a83c2512e90394c20c80260dcabbc3b6ad22327109ac88acc205619cc13f36f956765989defc5d4d5766a2fdb97962a65af2d50e5
SSDEEP

6144:XAMBj6B6kQu1WTminflPN80PxF+NmeBxEV91i2EkOoy:w36k+Tmin80PCNtLEVK2E5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	winine.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	winine.exe
File opened for modification	C:\Windows\SysWOW64\winine.exe	winine.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	1b6fc925045eafaf7b17b02e7f837fac.exe
File created	C:\Windows\SysWOW64\winine.exe	1b6fc925045eafaf7b17b02e7f837fac.exe
File opened for modification	C:\Windows\SysWOW64\winine.exe	1b6fc925045eafaf7b17b02e7f837fac.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	1b6fc925045eafaf7b17b02e7f837fac.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	1b6fc925045eafaf7b17b02e7f837fac.exe
Token: SeDebugPrivilege	2800	winine.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2732	3032	1b6fc925045eafaf7b17b02e7f837fac.exe	29
PID 3032 wrote to memory of 2732	3032	1b6fc925045eafaf7b17b02e7f837fac.exe	29
PID 3032 wrote to memory of 2732	3032	1b6fc925045eafaf7b17b02e7f837fac.exe	29
PID 3032 wrote to memory of 2732	3032	1b6fc925045eafaf7b17b02e7f837fac.exe	29
PID 3032 wrote to memory of 2732	3032	1b6fc925045eafaf7b17b02e7f837fac.exe	29
PID 3032 wrote to memory of 2732	3032	1b6fc925045eafaf7b17b02e7f837fac.exe	29
PID 3032 wrote to memory of 2732	3032	1b6fc925045eafaf7b17b02e7f837fac.exe	29

C:\Users\Admin\AppData\Local\Temp\1b6fc925045eafaf7b17b02e7f837fac.exe
"C:\Users\Admin\AppData\Local\Temp\1b6fc925045eafaf7b17b02e7f837fac.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2732

C:\Windows\SysWOW64\winine.exe
C:\Windows\SysWOW64\winine.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winine.exe

Filesize
280KB

MD5
1b6fc925045eafaf7b17b02e7f837fac

SHA1
93d078f73a0d2a87aa86c37332dca3fb3d363f2a

SHA256
1487cdff4d4cfd0362b13f34d910e8443bbf07c2a3f631d92d0c984b16f0d7ae

SHA512
93df6b56dbf45f0ea967fc7a83c2512e90394c20c80260dcabbc3b6ad22327109ac88acc205619cc13f36f956765989defc5d4d5766a2fdb97962a65af2d50e5

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
2856fa45f23b7b0f9781f8c392beb5f8

SHA1
f086574a6bdc5fbf9a036edb74fe8116dcc2fd5c

SHA256
6134f6c7c157be00c073ed8ad8ebf8dac7de7a34890e516e47bf891764279463

SHA512
3f4675eb30d09852adbead3c7a654bd5661b617cc75b4dbd590573f8978562d4bdbbf087b2b04e084e32269b805766040315b13ef9b32879d8160fee189b65a6

Download Submit
memory/2800-7-0x0000000000400000-0x000000000050BBB2-memory.dmp

Filesize
1.0MB

Download
memory/2800-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2800-9-0x0000000000400000-0x000000000050BBB2-memory.dmp

Filesize
1.0MB

Download
memory/2800-10-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2800-12-0x0000000000400000-0x000000000050BBB2-memory.dmp

Filesize
1.0MB

Download
memory/3032-0-0x0000000000400000-0x000000000050BBB2-memory.dmp

Filesize
1.0MB

Download
memory/3032-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3032-2-0x0000000000400000-0x000000000050BBB2-memory.dmp

Filesize
1.0MB

Download
memory/3032-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3032-20-0x0000000000400000-0x000000000050BBB2-memory.dmp

Filesize
1.0MB

Download