6e18bd61fd3740f8d1b7f45fa29a55d74fc849e79eeee6b5b14ae6b77d0e1115

Analysis

max time kernel
119s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 04:00

Target

274756282f634c01a926028fc51a99aa.exe
Size

26KB
MD5

274756282f634c01a926028fc51a99aa
SHA1

98407d47b4f8c35d9eda245fff496065f678ae41
SHA256

6e18bd61fd3740f8d1b7f45fa29a55d74fc849e79eeee6b5b14ae6b77d0e1115
SHA512

a3d01869e93fc55e5720b781d625099c7d09417b18e45b72b011bac5f295b0e4db12f2a66bc689d1a41f6ab3d441fb052981ca193581d75c26fb1d16ddca4c7b
SSDEEP

768:rTvbx4UaWtyQGhcoxV92VnUMYFFZlprZpKEw:rTzGU6DOoP9Osw

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
2516	274756282f634c01a926028fc51a99aa.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xyupri0.dll	274756282f634c01a926028fc51a99aa.exe
File opened for modification	C:\Windows\SysWOW64\xyupri0.dll	274756282f634c01a926028fc51a99aa.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3F426F6-42A5-A29E-8634-BC694A88FB7D}	274756282f634c01a926028fc51a99aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3F426F6-42A5-A29E-8634-BC694A88FB7D}\ExeModuleName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\274756282f634c01a926028fc51a99aa.exe"	274756282f634c01a926028fc51a99aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3F426F6-42A5-A29E-8634-BC694A88FB7D}\DllModuleName = "C:\\Windows\\SysWow64\\xyupri0.dll"	274756282f634c01a926028fc51a99aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3F426F6-42A5-A29E-8634-BC694A88FB7D}\SobjEventName = "CZXSDERDAKSTXMH_0"	274756282f634c01a926028fc51a99aa.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	274756282f634c01a926028fc51a99aa.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1256	2516	274756282f634c01a926028fc51a99aa.exe	19

\Windows\SysWOW64\xyupri0.dll

Filesize
20KB

MD5
d45f4f13feec4ef295052c40651a4073

SHA1
802b0d2546da2943e9fa6680d1e6fee4caf58689

SHA256
bcf175bbbad751c37cac1e7c1b72e8406a2415d1f3d683ad05e8297c989c591b

SHA512
18042bb7581e8f35a365f9b0e31045e6373bdf1a8f1f39f03a2b8cf17436926bb85536164998b1235a329137f74b33d7b7057eba889d85190a7c0a48f5dc9b5e

Download Submit
memory/1256-5-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/2516-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2516-6-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2516-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download