74e23e30cecb8d4af291612797235edd36bf1b18f901e9e2b80d600b2f1f55e4

Analysis

max time kernel
118s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41ca1001b6d5be576633500f1e794509.exe
Size

285KB
MD5

41ca1001b6d5be576633500f1e794509
SHA1

f1003a000136a9c6bb02022e0c5500bcb4db7326
SHA256

74e23e30cecb8d4af291612797235edd36bf1b18f901e9e2b80d600b2f1f55e4
SHA512

b4d389fa4e2d250de576442b3ccdb354840c3548439ef4c1ab527e51f037dad85ab6f8bb72e5d07649da5e7e1dc7a664656c8118ce4ed95a95ceee183c901652
SSDEEP

6144:/cWESPHaaBrjy1VPFy4ujGfEubV0iQXwGchKMEaPmsnExsz9a9:kaSaF27dyrjG8uZoXXkj

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2312	svchusts.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	41ca1001b6d5be576633500f1e794509.exe
File created	C:\Windows\SysWOW64\svchusts.exe	41ca1001b6d5be576633500f1e794509.exe
File opened for modification	C:\Windows\SysWOW64\svchusts.exe	41ca1001b6d5be576633500f1e794509.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	svchusts.exe
File opened for modification	C:\Windows\SysWOW64\svchusts.exe	svchusts.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	41ca1001b6d5be576633500f1e794509.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	41ca1001b6d5be576633500f1e794509.exe
Token: SeDebugPrivilege	2312	svchusts.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2684	2452	41ca1001b6d5be576633500f1e794509.exe	30
PID 2452 wrote to memory of 2684	2452	41ca1001b6d5be576633500f1e794509.exe	30
PID 2452 wrote to memory of 2684	2452	41ca1001b6d5be576633500f1e794509.exe	30
PID 2452 wrote to memory of 2684	2452	41ca1001b6d5be576633500f1e794509.exe	30
PID 2452 wrote to memory of 2684	2452	41ca1001b6d5be576633500f1e794509.exe	30
PID 2452 wrote to memory of 2684	2452	41ca1001b6d5be576633500f1e794509.exe	30
PID 2452 wrote to memory of 2684	2452	41ca1001b6d5be576633500f1e794509.exe	30

C:\Users\Admin\AppData\Local\Temp\41ca1001b6d5be576633500f1e794509.exe
"C:\Users\Admin\AppData\Local\Temp\41ca1001b6d5be576633500f1e794509.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2684

C:\Windows\SysWOW64\svchusts.exe
C:\Windows\SysWOW64\svchusts.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchusts.exe

Filesize
259KB

MD5
9314bb9a075d2995cfd03f8dc73c0cb9

SHA1
9d5968813b4fc4ab8168179b628e272de8c0a102

SHA256
68b478ce99d97867c6d5cc41ad7c7166d78516da23d533926e4599b1889406a6

SHA512
3a2b42b4ef02624695175dd6b5343dc146b52a6dc50e4fd04228b25bfde96e3df51e68de2935b6123374ca289b8df650061b55cf34003c2ac7c68ca203bc96c4

Download Submit
C:\Windows\SysWOW64\svchusts.exe

Filesize
9KB

MD5
84b6412fd257bb7460d5aff65d42d161

SHA1
6c4d99816be65ae0885a1b2242221cba1a116330

SHA256
a3f646bea033acd169b20fd3d019ccb83dbc3ac5a704c9426981456ea26bb425

SHA512
d4b2eed6ef1b520f60a3150b6f43aac6717a321d981bc041626b8f85153056e9adfdda968f8f847e5f3e2d5b6bde5fcd4ea13403e98d694051b9620cf3ddb1f4

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
aeb1cf086f514a37508d3643c81441fc

SHA1
f7efa5a5577b98cb50a76f6ba14faeaeaf4f0fa4

SHA256
96bccf38fc90f7eb56ed2357dc43f6aad36058ee192591526974b6dc2354e326

SHA512
cdad85d9637734ac4dc30885afccb8bc940144ef174ba9da948816d376060facfefbc07dc516af6a3e9d54c8f862a9589096a9746311efc9a724391a99743c1d

Download Submit
memory/2312-6-0x0000000000400000-0x0000000000516200-memory.dmp

Filesize
1.1MB

Download
memory/2312-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2312-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2312-10-0x0000000000400000-0x0000000000516200-memory.dmp

Filesize
1.1MB

Download
memory/2452-0-0x0000000000400000-0x0000000000516200-memory.dmp

Filesize
1.1MB

Download
memory/2452-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2452-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2452-18-0x0000000000400000-0x0000000000516200-memory.dmp

Filesize
1.1MB

Download