0c252febbad42c6ff5fc686850140658b5b7e4033578ee58678a86b412bbf10d

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 04:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3fdbdc4c320a2145088f68f83a1a562f.exe
Size

88KB
MD5

3fdbdc4c320a2145088f68f83a1a562f
SHA1

44eea44646310b69dd6076b4939c3338fd2ffacd
SHA256

0c252febbad42c6ff5fc686850140658b5b7e4033578ee58678a86b412bbf10d
SHA512

3e6559f618a62ce20846c83ced23ba3023bb35328eea661d90fb28b0d6b304113528143f6eda4b8bac817daaf3d525570b87fdbcd73c5ad009d8cb30146b86b9
SSDEEP

1536:XM5muTswgebGyq9a0vMPcmIFvBNjfqVnWx8+V1/IZg:XM5mWswZbGyq9a0vMPcmOvzjKnU8t6

Score

1^/10

Malware Config

Signatures

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2224	3fdbdc4c320a2145088f68f83a1a562f.exe
2224	3fdbdc4c320a2145088f68f83a1a562f.exe
2224	3fdbdc4c320a2145088f68f83a1a562f.exe
2224	3fdbdc4c320a2145088f68f83a1a562f.exe
2224	3fdbdc4c320a2145088f68f83a1a562f.exe
2224	3fdbdc4c320a2145088f68f83a1a562f.exe
2224	3fdbdc4c320a2145088f68f83a1a562f.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2224	3fdbdc4c320a2145088f68f83a1a562f.exe
Token: SeSystemtimePrivilege	2224	3fdbdc4c320a2145088f68f83a1a562f.exe
Token: SeSystemtimePrivilege	2224	3fdbdc4c320a2145088f68f83a1a562f.exe
Token: SeSystemtimePrivilege	2224	3fdbdc4c320a2145088f68f83a1a562f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2224	3fdbdc4c320a2145088f68f83a1a562f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1760	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	28
PID 2224 wrote to memory of 1760	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	28
PID 2224 wrote to memory of 1760	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	28
PID 2224 wrote to memory of 1760	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	28
PID 2224 wrote to memory of 2056	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	29
PID 2224 wrote to memory of 2056	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	29
PID 2224 wrote to memory of 2056	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	29
PID 2224 wrote to memory of 2056	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	29
PID 2224 wrote to memory of 1092	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	31
PID 2224 wrote to memory of 1092	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	31
PID 2224 wrote to memory of 1092	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	31
PID 2224 wrote to memory of 1092	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	31
PID 2224 wrote to memory of 2168	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	32
PID 2224 wrote to memory of 2168	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	32
PID 2224 wrote to memory of 2168	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	32
PID 2224 wrote to memory of 2168	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	32
PID 2224 wrote to memory of 2160	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	33
PID 2224 wrote to memory of 2160	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	33
PID 2224 wrote to memory of 2160	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	33
PID 2224 wrote to memory of 2160	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	33
PID 2224 wrote to memory of 2196	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	38
PID 2224 wrote to memory of 2196	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	38
PID 2224 wrote to memory of 2196	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	38
PID 2224 wrote to memory of 2196	2224	3fdbdc4c320a2145088f68f83a1a562f.exe	38
PID 2168 wrote to memory of 2144	2168	cmd.exe	41
PID 2168 wrote to memory of 2144	2168	cmd.exe	41
PID 2168 wrote to memory of 2144	2168	cmd.exe	41
PID 2168 wrote to memory of 2144	2168	cmd.exe	41
PID 2160 wrote to memory of 2728	2160	cmd.exe	40
PID 2160 wrote to memory of 2728	2160	cmd.exe	40
PID 2160 wrote to memory of 2728	2160	cmd.exe	40
PID 2160 wrote to memory of 2728	2160	cmd.exe	40
PID 2056 wrote to memory of 2256	2056	cmd.exe	42
PID 2056 wrote to memory of 2256	2056	cmd.exe	42
PID 2056 wrote to memory of 2256	2056	cmd.exe	42
PID 2056 wrote to memory of 2256	2056	cmd.exe	42
PID 2196 wrote to memory of 2804	2196	cmd.exe	44
PID 2196 wrote to memory of 2804	2196	cmd.exe	44
PID 2196 wrote to memory of 2804	2196	cmd.exe	44
PID 2196 wrote to memory of 2804	2196	cmd.exe	44
PID 1092 wrote to memory of 2788	1092	cmd.exe	43
PID 1092 wrote to memory of 2788	1092	cmd.exe	43
PID 1092 wrote to memory of 2788	1092	cmd.exe	43
PID 1092 wrote to memory of 2788	1092	cmd.exe	43
PID 2728 wrote to memory of 2836	2728	net.exe	47
PID 2728 wrote to memory of 2836	2728	net.exe	47
PID 2728 wrote to memory of 2836	2728	net.exe	47
PID 2728 wrote to memory of 2836	2728	net.exe	47
PID 2256 wrote to memory of 2972	2256	net.exe	45
PID 2256 wrote to memory of 2972	2256	net.exe	45
PID 2256 wrote to memory of 2972	2256	net.exe	45
PID 2256 wrote to memory of 2972	2256	net.exe	45
PID 2144 wrote to memory of 2812	2144	net.exe	48
PID 2144 wrote to memory of 2812	2144	net.exe	48
PID 2144 wrote to memory of 2812	2144	net.exe	48
PID 2144 wrote to memory of 2812	2144	net.exe	48
PID 2804 wrote to memory of 2736	2804	net.exe	46
PID 2804 wrote to memory of 2736	2804	net.exe	46
PID 2804 wrote to memory of 2736	2804	net.exe	46
PID 2804 wrote to memory of 2736	2804	net.exe	46
PID 2788 wrote to memory of 2964	2788	net.exe	49
PID 2788 wrote to memory of 2964	2788	net.exe	49
PID 2788 wrote to memory of 2964	2788	net.exe	49
PID 2788 wrote to memory of 2964	2788	net.exe	49

C:\Users\Admin\AppData\Local\Temp\3fdbdc4c320a2145088f68f83a1a562f.exe
"C:\Users\Admin\AppData\Local\Temp\3fdbdc4c320a2145088f68f83a1a562f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del %SystemRoot%\system32\Result.txt&del %SystemRoot%\system32\bobo.exe&del %SystemRoot%\system32\sos.exe&del %SystemRoot%\system32\crr.exe&del "%userprofile%\Result.txt"&exit
  2⤵
  PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop KPfwSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\net.exe
    net stop KPfwSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KPfwSvc
      4⤵
      PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop KWatchsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\net.exe
    net stop KWatchsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KWatchsvc
      4⤵
      PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop McShield
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\net.exe
    net stop McShield
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McShield
      4⤵
      PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Norton AntiVirus Server"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\net.exe
    net stop "Norton AntiVirus Server"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Norton AntiVirus Server"
      4⤵
      PID:2736

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads