818a0a33f0f38e8219097683ecb4f32b3eebc9831006572f7d2c43621e264f75

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:04

Target

210174d7a01343c4d1bb9076bbedc92c.exe
Size

22KB
MD5

210174d7a01343c4d1bb9076bbedc92c
SHA1

46c814841d000a127358924ce901f8a81415f134
SHA256

818a0a33f0f38e8219097683ecb4f32b3eebc9831006572f7d2c43621e264f75
SHA512

d2d6f50b5c275d0f4b2489817dc01b72f8ca3bd05db848b141495171a3cc66fc706961fe182d1a98fef39034304ebfe0784556b554f1b97a466b688f60c7218e
SSDEEP

384:+QQvc2vDniW5ukWa2PECVKz/yMgCdNuuXaGvRO9zMjBhJ8ndkkW/EtkQIiBxv:1n2WOzbCWjBNuLMRJjBh8dv/tkRiBF

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
532	biant.3322.org.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\biant.3322.org.exe	biant.3322.org.exe
File created	C:\Windows\SysWOW64\biant.3322.org.dll	biant.3322.org.exe
File opened for modification	C:\Windows\SysWOW64\biant.3322.org.dll	biant.3322.org.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	210174d7a01343c4d1bb9076bbedc92c.exe
File opened for modification	C:\Windows\SysWOW64\Deleteme.bat	biant.3322.org.exe
File created	C:\Windows\SysWOW64\biant.3322.org.exe	210174d7a01343c4d1bb9076bbedc92c.exe
File opened for modification	C:\Windows\SysWOW64\biant.3322.org.exe	210174d7a01343c4d1bb9076bbedc92c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	biant.3322.org.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 2676	532	biant.3322.org.exe	21
PID 532 wrote to memory of 2676	532	biant.3322.org.exe	21
PID 1392 wrote to memory of 1256	1392	210174d7a01343c4d1bb9076bbedc92c.exe	26
PID 1392 wrote to memory of 1256	1392	210174d7a01343c4d1bb9076bbedc92c.exe	26
PID 1392 wrote to memory of 1256	1392	210174d7a01343c4d1bb9076bbedc92c.exe	26
PID 532 wrote to memory of 2676	532	biant.3322.org.exe	21
PID 532 wrote to memory of 4744	532	biant.3322.org.exe	23
PID 532 wrote to memory of 4744	532	biant.3322.org.exe	23
PID 532 wrote to memory of 4744	532	biant.3322.org.exe	23

C:\Users\Admin\AppData\Local\Temp\210174d7a01343c4d1bb9076bbedc92c.exe
"C:\Users\Admin\AppData\Local\Temp\210174d7a01343c4d1bb9076bbedc92c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:1256

C:\Windows\SysWOW64\biant.3322.org.exe
C:\Windows\SysWOW64\biant.3322.org.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\program files\internet explorer\iexplore.exe
  "C:\program files\internet explorer\iexplore.exe"
  2⤵
  PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:4744

C:\Windows\SysWOW64\Deleteme.bat

Filesize
120B

MD5
0319526e9a460fb281bf51c59aa8c608

SHA1
7a3a845c279c9179d77540541ebadf702837e803

SHA256
9342f0ed84f7706a00ab19a6c274b91bc3201b7046691f544eba67288bc71e84

SHA512
f2165fb9b7416886dbf4ab6fc98a3d14305693c0a758548dd523464bc0adaaa26fdf239b3ca0be40aa232dc0d88cd3afd1986222a955fbdaf58b07a619afa5f7

Download Submit
C:\Windows\SysWOW64\biant.3322.org.exe

Filesize
22KB

MD5
210174d7a01343c4d1bb9076bbedc92c

SHA1
46c814841d000a127358924ce901f8a81415f134

SHA256
818a0a33f0f38e8219097683ecb4f32b3eebc9831006572f7d2c43621e264f75

SHA512
d2d6f50b5c275d0f4b2489817dc01b72f8ca3bd05db848b141495171a3cc66fc706961fe182d1a98fef39034304ebfe0784556b554f1b97a466b688f60c7218e

Download Submit
memory/532-8-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/532-7-0x0000000013140000-0x000000001315A000-memory.dmp

Filesize
104KB

Download
memory/532-17-0x0000000013140000-0x000000001315A000-memory.dmp

Filesize
104KB

Download
memory/1392-0-0x0000000013140000-0x000000001315A000-memory.dmp

Filesize
104KB

Download
memory/1392-2-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1392-1-0x0000000013140000-0x000000001315A000-memory.dmp

Filesize
104KB

Download
memory/1392-13-0x0000000013140000-0x000000001315A000-memory.dmp

Filesize
104KB

Download