f7873d50c4c15636f9a5cee2051b3f0f36ed5d1ec16977dd67a5b7d0fcbdd497

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cd535edb48b7cefbb14494688c67190.exe
Size

412KB
MD5

2cd535edb48b7cefbb14494688c67190
SHA1

0b06f52cc6826baacb63408ae3ab529ca696f21d
SHA256

f7873d50c4c15636f9a5cee2051b3f0f36ed5d1ec16977dd67a5b7d0fcbdd497
SHA512

31cc0d7e90d88c4c14f5169f16774129e9ed1f6ea1629a826876d8b0aba13a76f8a1bbb796b410453c08f836bf81ef1777b05ccffd99a23b937bf59673c27163
SSDEEP

6144:yBlZxyTW4/AWZ2PaPN49K13NoRY+Eqn3dDODD9Uv0mJjPOJ6MMKLs4UL7FsY:ElTyS22PO49K1NyYJq31ONUZr36veWY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2832	Svchost
2828	Svchost

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 2872	2668	2cd535edb48b7cefbb14494688c67190.exe	18
PID 2832 set thread context of 2828	2832	Svchost	31
PID 2828 set thread context of 2804	2828	Svchost	30

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Svchost	2cd535edb48b7cefbb14494688c67190.exe
File created	C:\Windows\Svchost	2cd535edb48b7cefbb14494688c67190.exe
File created	C:\Windows\uninstal.bat	2cd535edb48b7cefbb14494688c67190.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	2cd535edb48b7cefbb14494688c67190.exe
Token: SeDebugPrivilege	2828	Svchost

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2872	2668	2cd535edb48b7cefbb14494688c67190.exe	18
PID 2668 wrote to memory of 2872	2668	2cd535edb48b7cefbb14494688c67190.exe	18
PID 2668 wrote to memory of 2872	2668	2cd535edb48b7cefbb14494688c67190.exe	18
PID 2668 wrote to memory of 2872	2668	2cd535edb48b7cefbb14494688c67190.exe	18
PID 2668 wrote to memory of 2872	2668	2cd535edb48b7cefbb14494688c67190.exe	18
PID 2668 wrote to memory of 2872	2668	2cd535edb48b7cefbb14494688c67190.exe	18
PID 2832 wrote to memory of 2828	2832	Svchost	31
PID 2832 wrote to memory of 2828	2832	Svchost	31
PID 2832 wrote to memory of 2828	2832	Svchost	31
PID 2832 wrote to memory of 2828	2832	Svchost	31
PID 2832 wrote to memory of 2828	2832	Svchost	31
PID 2832 wrote to memory of 2828	2832	Svchost	31
PID 2828 wrote to memory of 2804	2828	Svchost	30
PID 2828 wrote to memory of 2804	2828	Svchost	30
PID 2828 wrote to memory of 2804	2828	Svchost	30
PID 2828 wrote to memory of 2804	2828	Svchost	30
PID 2828 wrote to memory of 2804	2828	Svchost	30
PID 2828 wrote to memory of 2804	2828	Svchost	30

C:\Users\Admin\AppData\Local\Temp\2cd535edb48b7cefbb14494688c67190.exe
"C:\Users\Admin\AppData\Local\Temp\2cd535edb48b7cefbb14494688c67190.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\2cd535edb48b7cefbb14494688c67190.exe
  C:\Users\Admin\AppData\Local\Temp\2cd535edb48b7cefbb14494688c67190.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2872

C:\Windows\Svchost
C:\Windows\Svchost
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\Svchost
  C:\Windows\Svchost
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828

C:\WINDOWS\SysWOW64\svchost.exe
C:\WINDOWS\system32\svchost.exe
1⤵
PID:2804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2668-5-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2804-31-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2804-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-29-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2828-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-26-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2828-25-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2828-33-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2832-20-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2872-2-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2872-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2872-6-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2872-22-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2872-4-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2872-7-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2872-8-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2872-9-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download