30228ceb25bab148f7c68560f04dfc165f7ea2b1a1cb6061cedafd105a81180c

Analysis

max time kernel
104s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2024 21:46

Target

4c88050e2388b34868bfaf92aa73e281.exe
Size

100KB
MD5

4c88050e2388b34868bfaf92aa73e281
SHA1

c5c0b13e5235c1c90f9293239aac7dda68def8a8
SHA256

30228ceb25bab148f7c68560f04dfc165f7ea2b1a1cb6061cedafd105a81180c
SHA512

a577bc2b7dbed879490e00c6e1b6b084d575b0ab966459b7715fdbbe477d5cfb475347a8763b95886b94a50622c8a0a2be2296816d7912249e909b6eb5f3b3e0
SSDEEP

768:5KNxBxNAXlHUnI6R5j5d1PtbG36Y4WjM9g/3VhLud:0NxbNAXtUnI6R5j5bvAz

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
3888	4c88050e2388b34868bfaf92aa73e281.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qdshm.dll	4c88050e2388b34868bfaf92aa73e281.exe
File opened for modification	C:\Windows\SysWOW64\addrgjhelp.cfg	4c88050e2388b34868bfaf92aa73e281.exe
File opened for modification	C:\Windows\SysWOW64\addrgjhelp.dll	4c88050e2388b34868bfaf92aa73e281.exe
File created	C:\Windows\SysWOW64\addrgjhelp.dll	4c88050e2388b34868bfaf92aa73e281.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3888	4c88050e2388b34868bfaf92aa73e281.exe
3888	4c88050e2388b34868bfaf92aa73e281.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
3888	4c88050e2388b34868bfaf92aa73e281.exe
652	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3888	4c88050e2388b34868bfaf92aa73e281.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 1648	3888	4c88050e2388b34868bfaf92aa73e281.exe	18
PID 3888 wrote to memory of 1648	3888	4c88050e2388b34868bfaf92aa73e281.exe	18
PID 3888 wrote to memory of 1648	3888	4c88050e2388b34868bfaf92aa73e281.exe	18

C:\Users\Admin\AppData\Local\Temp\4c88050e2388b34868bfaf92aa73e281.exe
"C:\Users\Admin\AppData\Local\Temp\4c88050e2388b34868bfaf92aa73e281.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\4c88050e2388b34868bfaf92aa73e281.exe"
  2⤵
  PID:1648

C:\Windows\SysWOW64\qdshm.dll

Filesize
1KB

MD5
91727794b30d33f5e56a62242685ed90

SHA1
bbdd05295f19489defeddfafa190030a524e3ce5

SHA256
180c4b061f93635765f40a82cc748e529a16c66938a0980596e11adb51ffb341

SHA512
dbcd7e02391597a252406cfc380db9eb2a1225485d3f000346acb088325c7908ab15ea089afb2a0dd1d903ff22d516fddf6494c4ede66916cd4c8a66354b6905

Download Submit