53bf47a1f95a3fa29da9d84ddc76fe47750b2d334fd9e0a6a738d9137a447307

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 03:10

Target

429c58ff541cedd417bac381255df43c.exe
Size

12KB
MD5

429c58ff541cedd417bac381255df43c
SHA1

d0a07e34464ed721163fea9895c4b6cb425a365d
SHA256

53bf47a1f95a3fa29da9d84ddc76fe47750b2d334fd9e0a6a738d9137a447307
SHA512

63420f8d07172629e856d4632e2a3929912b1db1c1d2b3c2c0d30703a5c246f295cf5070312f3ad694685b1f5a4e5fa7dc30535a1fa97b104c36980a670ac3fb
SSDEEP

192:vtzVhP3zDgcPJAndzoS2/n2raIedJK5U54uaykB5YWfnD1Mky1i6wdpap:1H3vPBAGSA2/efKG5yy65L1w1VyY

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1432	429c58ff541cedd417bac381255df43c.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wodoor0.dll	429c58ff541cedd417bac381255df43c.exe
File opened for modification	C:\Windows\SysWOW64\wodoor0.dll	429c58ff541cedd417bac381255df43c.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5731EA1D-4DE9-BDDA-6AAF-7B390A75B286}	429c58ff541cedd417bac381255df43c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5731EA1D-4DE9-BDDA-6AAF-7B390A75B286}\daExeModuleName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\429c58ff541cedd417bac381255df43c.exe"	429c58ff541cedd417bac381255df43c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5731EA1D-4DE9-BDDA-6AAF-7B390A75B286}\daDllModuleName = "C:\\Windows\\SysWow64\\wodoor0.dll"	429c58ff541cedd417bac381255df43c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5731EA1D-4DE9-BDDA-6AAF-7B390A75B286}\daSobjEventName = "YUTDFGHKHCOOLWO_0"	429c58ff541cedd417bac381255df43c.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	429c58ff541cedd417bac381255df43c.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1256	1432	429c58ff541cedd417bac381255df43c.exe	15

\Windows\SysWOW64\wodoor0.dll

Filesize
24KB

MD5
d0a2dfcb04638a437423ca40949d5815

SHA1
3e887057a38eee2f6d83dfd898bef9d82922daae

SHA256
a4404a13612b15a8ca8ef23a9a0acd8b79ef0316776999d887f63386240e8c75

SHA512
176e92b2efbccff4a6368feb25b4b0624451b26636ef551f2640fad52af4a0276aa2d5d2f7d69ff3486f996082de7b6ee8225eb738e729751f0f8802de969b9f

Download Submit
memory/1256-5-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1432-6-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/1432-4-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download