Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
05/01/2024, 19:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
44384b3b56e658c045241a9dd3797c3c.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
44384b3b56e658c045241a9dd3797c3c.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
44384b3b56e658c045241a9dd3797c3c.exe
-
Size
182KB
-
MD5
44384b3b56e658c045241a9dd3797c3c
-
SHA1
e60511f2fd01ec4ce3c3f0a6d1a0ac788cd85632
-
SHA256
6666221c343901c134a1f2c986ec82d1b1cd7f82902e34ec4a853a2bc6e97654
-
SHA512
a2c8c32301f2ddf7de7a1de7863a6e96eff589be2ea512a13b860cbf941888e86a0778761fe09bd592179fea129baf321effc6c3ee11dea76c1b429bc3d66703
-
SSDEEP
3072:rfvvOq5r7q8XfvTEJsyM4r3mIg/QooutG:rfeq5rmsfvDs3+poSG
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2332 44384b3b56e658c045241a9dd3797c3c.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\240602390.DLL 44384b3b56e658c045241a9dd3797c3c.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\rfdltecn\ieoifz.pif 44384b3b56e658c045241a9dd3797c3c.exe File opened for modification C:\Program Files (x86)\Common Files\rfdltecn\ieoifz.pif 44384b3b56e658c045241a9dd3797c3c.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\ = "C:\\Windows\\SysWow64\\240602390.DLL" 44384b3b56e658c045241a9dd3797c3c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 44384b3b56e658c045241a9dd3797c3c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 44384b3b56e658c045241a9dd3797c3c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 44384b3b56e658c045241a9dd3797c3c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 44384b3b56e658c045241a9dd3797c3c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe 2332 44384b3b56e658c045241a9dd3797c3c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2332 44384b3b56e658c045241a9dd3797c3c.exe Token: SeDebugPrivilege 2332 44384b3b56e658c045241a9dd3797c3c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\44384b3b56e658c045241a9dd3797c3c.exe"C:\Users\Admin\AppData\Local\Temp\44384b3b56e658c045241a9dd3797c3c.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.5MB
MD5dce9fa514c892ba99595ee3b3ad893cc
SHA1dfeeea7a556a3762a616e2b1199df81bee6809d1
SHA25645477349a7058c397cd832a0faabefa5e3512b3ff42fd86a0e78ea2bf89a5b6f
SHA5129a8363107cc9d4b55e0e5e2fc37c0f1b44b2b5b8c6652c9698ba1bc631d6165d950cd957333d566ddec13c6b0e9cbcca3c573f655fa0fe265197e29e6730091e