6666221c343901c134a1f2c986ec82d1b1cd7f82902e34ec4a853a2bc6e97654

Analysis

max time kernel
134s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44384b3b56e658c045241a9dd3797c3c.exe
Size

182KB
MD5

44384b3b56e658c045241a9dd3797c3c
SHA1

e60511f2fd01ec4ce3c3f0a6d1a0ac788cd85632
SHA256

6666221c343901c134a1f2c986ec82d1b1cd7f82902e34ec4a853a2bc6e97654
SHA512

a2c8c32301f2ddf7de7a1de7863a6e96eff589be2ea512a13b860cbf941888e86a0778761fe09bd592179fea129baf321effc6c3ee11dea76c1b429bc3d66703
SSDEEP

3072:rfvvOq5r7q8XfvTEJsyM4r3mIg/QooutG:rfeq5rmsfvDs3+poSG

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1752	44384b3b56e658c045241a9dd3797c3c.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259399913.DLL	44384b3b56e658c045241a9dd3797c3c.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\rfdltecn\ieoifz.pif	44384b3b56e658c045241a9dd3797c3c.exe
File opened for modification	C:\Program Files (x86)\Common Files\rfdltecn\ieoifz.pif	44384b3b56e658c045241a9dd3797c3c.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	44384b3b56e658c045241a9dd3797c3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	44384b3b56e658c045241a9dd3797c3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\ = "C:\\Windows\\SysWow64\\259399913.DLL"	44384b3b56e658c045241a9dd3797c3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32	44384b3b56e658c045241a9dd3797c3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	44384b3b56e658c045241a9dd3797c3c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe
1752	44384b3b56e658c045241a9dd3797c3c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	44384b3b56e658c045241a9dd3797c3c.exe
Token: SeDebugPrivilege	1752	44384b3b56e658c045241a9dd3797c3c.exe

C:\Users\Admin\AppData\Local\Temp\44384b3b56e658c045241a9dd3797c3c.exe
"C:\Users\Admin\AppData\Local\Temp\44384b3b56e658c045241a9dd3797c3c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\259399913.DLL

Filesize
12.1MB

MD5
fda4d3f13d2d0cc3b30f780f3c3b1e7f

SHA1
bd00ed53e145cfa563ca4892571409203a788e1b

SHA256
e68a97901401cc5b273915c78db895f88680776520904329b2d9e7cc44624c50

SHA512
bb9d210f024ade2b3de54cd699d63cccfea24d1c088fea398b9998e87febebeb000ac566f55248450eb16f0acc7cb7b8b5f80759144876bcdd78c9165ff089a5

Download Submit
memory/1752-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download