5e83445e461e5c7771f91430ff5afd83c93b685c1abc21684baad43345322217

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 07:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ce4f60c0ac7ef6983c78aad3108e74b.exe
Size

327KB
MD5

2ce4f60c0ac7ef6983c78aad3108e74b
SHA1

79553100d5792e0f453a7ebad0a760610e51e3f7
SHA256

5e83445e461e5c7771f91430ff5afd83c93b685c1abc21684baad43345322217
SHA512

384829f755309c376173ba650074830dba08929bdaa20f5e67ecf7e37fbee18e8837eb9466d4f49322f0d61c382e61bd723b1c4414fac32c9ab9ecb8dbce5118
SSDEEP

6144:+CNP1Sm1AMmE3cLtW09Ekh0wWf5KuvGv+Gep17xnc5M6bQb10LtJ8fuTVWwfx9eO:bkGZpcLLhkf5lvGhep17xncf8kta7wf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3012	netstat

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\netstat	2ce4f60c0ac7ef6983c78aad3108e74b.exe
File opened for modification	C:\Windows\netstat	2ce4f60c0ac7ef6983c78aad3108e74b.exe
File created	C:\Windows\uninstal.bat	2ce4f60c0ac7ef6983c78aad3108e74b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	2ce4f60c0ac7ef6983c78aad3108e74b.exe
Token: SeDebugPrivilege	3012	netstat

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3012	netstat

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2164	2904	2ce4f60c0ac7ef6983c78aad3108e74b.exe	30
PID 2904 wrote to memory of 2164	2904	2ce4f60c0ac7ef6983c78aad3108e74b.exe	30
PID 2904 wrote to memory of 2164	2904	2ce4f60c0ac7ef6983c78aad3108e74b.exe	30
PID 2904 wrote to memory of 2164	2904	2ce4f60c0ac7ef6983c78aad3108e74b.exe	30
PID 2904 wrote to memory of 2164	2904	2ce4f60c0ac7ef6983c78aad3108e74b.exe	30
PID 2904 wrote to memory of 2164	2904	2ce4f60c0ac7ef6983c78aad3108e74b.exe	30
PID 2904 wrote to memory of 2164	2904	2ce4f60c0ac7ef6983c78aad3108e74b.exe	30

C:\Users\Admin\AppData\Local\Temp\2ce4f60c0ac7ef6983c78aad3108e74b.exe
"C:\Users\Admin\AppData\Local\Temp\2ce4f60c0ac7ef6983c78aad3108e74b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2164

C:\Windows\netstat
C:\Windows\netstat
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\netstat

Filesize
327KB

MD5
2ce4f60c0ac7ef6983c78aad3108e74b

SHA1
79553100d5792e0f453a7ebad0a760610e51e3f7

SHA256
5e83445e461e5c7771f91430ff5afd83c93b685c1abc21684baad43345322217

SHA512
384829f755309c376173ba650074830dba08929bdaa20f5e67ecf7e37fbee18e8837eb9466d4f49322f0d61c382e61bd723b1c4414fac32c9ab9ecb8dbce5118

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
d2e8a323a8ae78ae06ffb4a115c56ffa

SHA1
3db22363000be70d37cbcbe921bc72e5fe53c1bd

SHA256
7a7010ff0610b297ef5185ddb7e8e765f7b32d6017709868fd9cbba4e20a4b52

SHA512
e4bfb1fcb46e41a55f8a7cfd831b84b924c1beb387200619145002e0c8cf4f7437415b817596788f0dae5eb4ec93ceecb4dfad799e7c45594cf4d13f659f144a

Download Submit
memory/2904-18-0x0000000000400000-0x000000000051E208-memory.dmp

Filesize
1.1MB

Download
memory/2904-2-0x0000000000400000-0x000000000051E208-memory.dmp

Filesize
1.1MB

Download
memory/2904-5-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2904-1-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2904-0-0x0000000000400000-0x000000000051E208-memory.dmp

Filesize
1.1MB

Download
memory/3012-7-0x0000000000400000-0x000000000051E208-memory.dmp

Filesize
1.1MB

Download
memory/3012-8-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3012-10-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3012-9-0x0000000000400000-0x000000000051E208-memory.dmp

Filesize
1.1MB

Download
memory/3012-20-0x0000000000400000-0x000000000051E208-memory.dmp

Filesize
1.1MB

Download
memory/3012-21-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download