51b9f650735c79bd07c739e4c9adf0f8b20ccbb231566e3d062a252bd729f7a7

Analysis

max time kernel
144s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38f6309fe2a5ec8ddfed4c1ab6402bd2.exe
Size

369KB
MD5

38f6309fe2a5ec8ddfed4c1ab6402bd2
SHA1

b8835c98d5785fde00e4d2959b69ab6233993f13
SHA256

51b9f650735c79bd07c739e4c9adf0f8b20ccbb231566e3d062a252bd729f7a7
SHA512

18946594c790ac41646d77d759a8689047ba3a79da4f2cdf895b06f694b45c9a50665ad94561e1fc71fb66326432403fd69d66f6ef3a742570817ccacd0a6e57
SSDEEP

6144:DdGjOx5o6Cv6SGEMTeZXMEcD50wFjKrcvwqeDcz24VQln276DR9GtRJ:5mOx5oXGp6wFjKrcv5Qci4VEDG1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2372	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
900	windows.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\windows.exe	38f6309fe2a5ec8ddfed4c1ab6402bd2.exe
File opened for modification	C:\Windows\windows.exe	38f6309fe2a5ec8ddfed4c1ab6402bd2.exe
File created	C:\Windows\UNINSTAL.BAT	38f6309fe2a5ec8ddfed4c1ab6402bd2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	38f6309fe2a5ec8ddfed4c1ab6402bd2.exe
Token: SeDebugPrivilege	900	windows.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
900	windows.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 2344	900	windows.exe	28
PID 900 wrote to memory of 2344	900	windows.exe	28
PID 900 wrote to memory of 2344	900	windows.exe	28
PID 900 wrote to memory of 2344	900	windows.exe	28
PID 2008 wrote to memory of 2372	2008	38f6309fe2a5ec8ddfed4c1ab6402bd2.exe	30
PID 2008 wrote to memory of 2372	2008	38f6309fe2a5ec8ddfed4c1ab6402bd2.exe	30
PID 2008 wrote to memory of 2372	2008	38f6309fe2a5ec8ddfed4c1ab6402bd2.exe	30
PID 2008 wrote to memory of 2372	2008	38f6309fe2a5ec8ddfed4c1ab6402bd2.exe	30
PID 2008 wrote to memory of 2372	2008	38f6309fe2a5ec8ddfed4c1ab6402bd2.exe	30
PID 2008 wrote to memory of 2372	2008	38f6309fe2a5ec8ddfed4c1ab6402bd2.exe	30
PID 2008 wrote to memory of 2372	2008	38f6309fe2a5ec8ddfed4c1ab6402bd2.exe	30

C:\Users\Admin\AppData\Local\Temp\38f6309fe2a5ec8ddfed4c1ab6402bd2.exe
"C:\Users\Admin\AppData\Local\Temp\38f6309fe2a5ec8ddfed4c1ab6402bd2.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNINSTAL.BAT
  2⤵
  - Deletes itself
  PID:2372

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:2344

C:\Windows\windows.exe
C:\Windows\windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\UNINSTAL.BAT

Filesize
186B

MD5
6e5f0b62d3537a0544863405bd8ff42c

SHA1
0802f82c3a1cbc75c7ba7dd11e885bfac375d79c

SHA256
3563ba2274d8a4aebcf3b8fdaec7bb5647b22db56b46c73be96497e355f47a5e

SHA512
ad1bba61c701dc4ac7e928b56ac988ed9c7c839be1088db7e63cdb6869bc3bd2fe160d2200eeb4750499e36b8465e3ae0c0a32f355401e82c9498386d04d82e7

Download Submit
C:\Windows\windows.exe

Filesize
369KB

MD5
38f6309fe2a5ec8ddfed4c1ab6402bd2

SHA1
b8835c98d5785fde00e4d2959b69ab6233993f13

SHA256
51b9f650735c79bd07c739e4c9adf0f8b20ccbb231566e3d062a252bd729f7a7

SHA512
18946594c790ac41646d77d759a8689047ba3a79da4f2cdf895b06f694b45c9a50665ad94561e1fc71fb66326432403fd69d66f6ef3a742570817ccacd0a6e57

Download Submit
C:\Windows\windows.exe

Filesize
327KB

MD5
2b82e37b24fc10d4a157ac76c0f3262e

SHA1
5e6086d589da3519a299886c5721015a8db57860

SHA256
086d9620a0c0dec6ff9641714427d9eb89e8a080968b13ca3e69b4ca201c713a

SHA512
f02ca33e1138cc1f941018f7ec8f4c932b7b8eb902ea131c05402d8108e963a4bd094bf6b2767e25c0c38ba92eeee16a71788f4c7a932e2594d652ff327f9b66

Download Submit
memory/900-8-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/900-6-0x0000000000400000-0x000000000053D208-memory.dmp

Filesize
1.2MB

Download
memory/900-18-0x0000000000400000-0x000000000053D208-memory.dmp

Filesize
1.2MB

Download
memory/900-19-0x0000000000400000-0x000000000053D208-memory.dmp

Filesize
1.2MB

Download
memory/900-20-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/900-21-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/900-25-0x0000000000400000-0x000000000053D208-memory.dmp

Filesize
1.2MB

Download
memory/2008-16-0x0000000000400000-0x000000000053D208-memory.dmp

Filesize
1.2MB

Download
memory/2008-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2008-0-0x0000000000400000-0x000000000053D208-memory.dmp

Filesize
1.2MB

Download
memory/2008-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download