05e379fe614c0ce3be8627e7a9a79744a728e8fbab9d4d9fb39c2e2c9205df94

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c93bf234b0a794699d55872d4c779f3.exe
Size

488KB
MD5

2c93bf234b0a794699d55872d4c779f3
SHA1

2fc77ee26c3d4bceae4dca8d40922051db52d5bf
SHA256

05e379fe614c0ce3be8627e7a9a79744a728e8fbab9d4d9fb39c2e2c9205df94
SHA512

4af0dbd7c6a6323932bc472b505dc3967ac8e732ef3334aec05025935384ee30563b9e5c7356a69d09542a9dd248260e12e4f48a150b9637cc976abd7e227db3
SSDEEP

12288:CSpAZ3gtueKw9pPncZL1rSnnzVS5VyFXUGesd1YWH:CSKZwtv3UynnzP9UZjWH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2832	update.exe

Loads dropped DLL 6 IoCs

pid	Process
1668	2c93bf234b0a794699d55872d4c779f3.exe
1668	2c93bf234b0a794699d55872d4c779f3.exe
2832	update.exe
2832	update.exe
2832	update.exe
2832	update.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupapi.log	update.exe
File opened for modification	\??\c:\windows\KB978262.log	update.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	2832	update.exe
Token: SeRestorePrivilege	2832	update.exe
Token: SeRestorePrivilege	2832	update.exe
Token: SeRestorePrivilege	2832	update.exe
Token: SeRestorePrivilege	2832	update.exe
Token: SeRestorePrivilege	2832	update.exe
Token: SeRestorePrivilege	2832	update.exe
Token: SeBackupPrivilege	2832	update.exe
Token: SeRestorePrivilege	2832	update.exe
Token: SeShutdownPrivilege	2832	update.exe
Token: SeSecurityPrivilege	2832	update.exe
Token: SeTakeOwnershipPrivilege	2832	update.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2832	1668	2c93bf234b0a794699d55872d4c779f3.exe	28
PID 1668 wrote to memory of 2832	1668	2c93bf234b0a794699d55872d4c779f3.exe	28
PID 1668 wrote to memory of 2832	1668	2c93bf234b0a794699d55872d4c779f3.exe	28
PID 1668 wrote to memory of 2832	1668	2c93bf234b0a794699d55872d4c779f3.exe	28
PID 1668 wrote to memory of 2832	1668	2c93bf234b0a794699d55872d4c779f3.exe	28
PID 1668 wrote to memory of 2832	1668	2c93bf234b0a794699d55872d4c779f3.exe	28
PID 1668 wrote to memory of 2832	1668	2c93bf234b0a794699d55872d4c779f3.exe	28

C:\Users\Admin\AppData\Local\Temp\2c93bf234b0a794699d55872d4c779f3.exe
"C:\Users\Admin\AppData\Local\Temp\2c93bf234b0a794699d55872d4c779f3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668
- \??\c:\53b69266acc15d1238d7825c\update\update.exe
  c:\53b69266acc15d1238d7825c\update\update.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\53b69266acc15d1238d7825c\_sfx_.dll

Filesize
25KB

MD5
ee207e35aea4d5df41d90221e1b66efa

SHA1
757469cf9ad2f21f267bbe730560114fdf8a89a5

SHA256
cf64c95e9a2d02967efc22b00efb3736156b913a95231eb63c1df45d43475e64

SHA512
43e9f75725daa4f3428b2d9cee2c2cc8b2f2e991b8e58d72d2f429fbdfb614c86d172f03d3f9da98756bd4e245643d9a57c6efa422d6c60ad364a2322245542d

Download Submit
\53b69266acc15d1238d7825c\update\update.exe

Filesize
737KB

MD5
0ff4e4e0dd01e7872d9c2013560fd4a7

SHA1
f6a3aa7d551c99c3e9c00c9592c2be1b1cf1a81a

SHA256
fadc30d8a636762c424ff4f49d528f22d59c46c20c24c5c4b73badb4deb5e8a1

SHA512
8e154e66b6949e93532052a15762db2cbcf9d8dbfce9ef18ae2adcfd126974240716220151d1e59347fb4f094da7ab31701b32d3fdc5726c2da098154319a0b6

Download Submit
\53b69266acc15d1238d7825c\update\update.exe

Filesize
240KB

MD5
572474e80b21bcca641e4847f493865c

SHA1
08bc664eae35f1d205ff85ec8915d6472a0bf3da

SHA256
2f59363141e56e60955f5c20d79310bd63ffbea16cd881110fc69e24e1beb8c0

SHA512
f3f4bf19eb139bb2865a3660cfe15a285c217c0fa420df5af42bd04c07ddd01c0706e9bcefe06686d3b146bc995c6e61fdce63be2e08bdc21242e7df034f6f35

Download Submit
\53b69266acc15d1238d7825c\update\update.exe

Filesize
705KB

MD5
dfe2b3d3b5e6b9ce1b5f44396ae1ebf4

SHA1
b9a373ca2fe300aee1e60fa5cf01881ba8f7bfdb

SHA256
13ab4070d36ab09c4168c4843900ee162c9eb2c99fa50269f0351a66dd92211b

SHA512
d041ba50650594a41c5cf78c8cd26441a7b672a151bd309fb22eb20a92ab64e83db0485507075254f4d7164a4f4882bb6b6da339f2cd57e1d02aaa5b9df8666d

Download Submit
\53b69266acc15d1238d7825c\update\update.exe

Filesize
193KB

MD5
6c2ed71baf392e21d671ee9cf8b9c2ee

SHA1
1beaae11bde015c02a51b3fef5f4b922149462a8

SHA256
647d98d8c007c48d82192c72378944e8962b55f1fa0b2890065667a7666a2899

SHA512
7acc44dcb925ff6723eb1ce24efadb22a4f58ac06797a886e5dbc4ee96f780d34bf16a9777a187776d2256b87d313362bfe1360739c19b5e90e7a4e6ef422cbb

Download Submit
\53b69266acc15d1238d7825c\update\updspapi.dll

Filesize
257KB

MD5
11d924d1fe07f233c46c2b35ed03a9e5

SHA1
a670832904b06fc8d12669b022f78208ba42705f

SHA256
80cbae8392e9a0a380920688c04036947a7db93463a6da591baa836a1c2001eb

SHA512
e8afad97dc948559a3476e2300c24e6fda972299e2f07cfc30c74b4ba93ef5e26cf3fd5cc8b89a0d7289d921000c0dabc41b3512d459a646c5eb4e6f6ee7792e

Download Submit