9100c72c23d96177f9cf0bf0e8d31c46b30e1d43013a69e9478549e16bff99e4

Analysis

max time kernel
142s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 01:28

Target

22e1bce31a74f259b0a421d957a1724c.exe
Size

742KB
MD5

22e1bce31a74f259b0a421d957a1724c
SHA1

222002fac0b9f8e443d0d52b0232eec4100868a8
SHA256

9100c72c23d96177f9cf0bf0e8d31c46b30e1d43013a69e9478549e16bff99e4
SHA512

b0e819d5a146aca0980d477328ccd3772f68f0934196567f2e2c9f8f0a90665a4bf4589837fdf7d20272cf0c81de9141424fbc20eda3488e177704988f1b4234
SSDEEP

12288:ARyTY+2U4uan/8RdW5A0zyxuJwQ5oAlK+Gx/vZuIkAbQQ52LYRg08y5rDRb:k6iU4ucwdW5A2RJr/k3/vcIkA33P

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2268	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\pRogram Files\system32\svchost.exe	22e1bce31a74f259b0a421d957a1724c.exe
File opened for modification	C:\pRogram Files\system32\svchost.exe	22e1bce31a74f259b0a421d957a1724c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.BAT	22e1bce31a74f259b0a421d957a1724c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	22e1bce31a74f259b0a421d957a1724c.exe
Token: SeDebugPrivilege	2268	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2268	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2772	2144	22e1bce31a74f259b0a421d957a1724c.exe	30
PID 2144 wrote to memory of 2772	2144	22e1bce31a74f259b0a421d957a1724c.exe	30
PID 2144 wrote to memory of 2772	2144	22e1bce31a74f259b0a421d957a1724c.exe	30
PID 2144 wrote to memory of 2772	2144	22e1bce31a74f259b0a421d957a1724c.exe	30
PID 2144 wrote to memory of 2772	2144	22e1bce31a74f259b0a421d957a1724c.exe	30
PID 2144 wrote to memory of 2772	2144	22e1bce31a74f259b0a421d957a1724c.exe	30
PID 2144 wrote to memory of 2772	2144	22e1bce31a74f259b0a421d957a1724c.exe	30

C:\Users\Admin\AppData\Local\Temp\22e1bce31a74f259b0a421d957a1724c.exe
"C:\Users\Admin\AppData\Local\Temp\22e1bce31a74f259b0a421d957a1724c.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.BAT
  2⤵
  - Deletes itself
  PID:2772

C:\Program Files\system32\svchost.exe

Filesize
742KB

MD5
22e1bce31a74f259b0a421d957a1724c

SHA1
222002fac0b9f8e443d0d52b0232eec4100868a8

SHA256
9100c72c23d96177f9cf0bf0e8d31c46b30e1d43013a69e9478549e16bff99e4

SHA512
b0e819d5a146aca0980d477328ccd3772f68f0934196567f2e2c9f8f0a90665a4bf4589837fdf7d20272cf0c81de9141424fbc20eda3488e177704988f1b4234

Download Submit
C:\Windows\uninstal.BAT

Filesize
190B

MD5
53048425ccb60aaccf2fd0b745acca82

SHA1
f12e3a1faa03519c6af2eac30b94f0dd5ca2566e

SHA256
c3483b919d717eee0ea9849722a10eab8257c836073aa58c59513add511a607c

SHA512
f85d7affaefd650feda0be4d5c9b915f57a9c99a1c9f7ea62860fcd9611b73558ced7115917985e9ca864d2f84943f85836b2cd19dd06dd62bb615b7db6e780c

Download Submit
memory/2144-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2144-1-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2144-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2268-5-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2268-11-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2268-16-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2268-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download