eb0a30224a7630235397140f9febee8643ab81af45e7e282d720aec37a047dde

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 22:27

Target

4c9d608c21b9fa8bbb70b5356e947adb.exe
Size

61KB
MD5

4c9d608c21b9fa8bbb70b5356e947adb
SHA1

c87c1f1c6e4a8852f97a1ac82ea1d0fb55b3ec8f
SHA256

eb0a30224a7630235397140f9febee8643ab81af45e7e282d720aec37a047dde
SHA512

7bb692c6dd3c4efc84833e1bff33f6d39ee83aaf4c7f3acab3c4d72f7aedff8a4d9cd1c5b0cf2405d465cab3bd031225da3fd3d2f738fc4c349322780e3a22c6
SSDEEP

1536:8ZZ9s1r4H0FmPl4wK+a7SMqRPdbwK8aAAT3bPjb3Ltn+S2KeiWamt/H/oFI8UpJS:q9sV4H0FmPl4wK+a7SMqRPdbwK8aAATz

Score

8^/10

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\beep.sys	4c9d608c21b9fa8bbb70b5356e947adb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	windows.exe

Executes dropped EXE 1 IoCs

pid	Process
2528	windows.exe

Loads dropped DLL 3 IoCs

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windows.dll	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	4c9d608c21b9fa8bbb70b5356e947adb.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	4c9d608c21b9fa8bbb70b5356e947adb.exe
File created	C:\Windows\SysWOW64\windows.dll	4c9d608c21b9fa8bbb70b5356e947adb.exe
File opened for modification	C:\Windows\SysWOW64\windows.dll	4c9d608c21b9fa8bbb70b5356e947adb.exe
File created	C:\Windows\SysWOW64\windows.dat	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2736	2528	WerFault.exe	28

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2512	4c9d608c21b9fa8bbb70b5356e947adb.exe
Token: SeIncBasePriorityPrivilege	2528	windows.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2884	2512	4c9d608c21b9fa8bbb70b5356e947adb.exe	29
PID 2512 wrote to memory of 2884	2512	4c9d608c21b9fa8bbb70b5356e947adb.exe	29
PID 2512 wrote to memory of 2884	2512	4c9d608c21b9fa8bbb70b5356e947adb.exe	29
PID 2512 wrote to memory of 2884	2512	4c9d608c21b9fa8bbb70b5356e947adb.exe	29
PID 2528 wrote to memory of 2856	2528	windows.exe	31
PID 2528 wrote to memory of 2856	2528	windows.exe	31
PID 2528 wrote to memory of 2856	2528	windows.exe	31
PID 2528 wrote to memory of 2856	2528	windows.exe	31
PID 2528 wrote to memory of 2736	2528	windows.exe	30
PID 2528 wrote to memory of 2736	2528	windows.exe	30
PID 2528 wrote to memory of 2736	2528	windows.exe	30
PID 2528 wrote to memory of 2736	2528	windows.exe	30

C:\Users\Admin\AppData\Local\Temp\4c9d608c21b9fa8bbb70b5356e947adb.exe
"C:\Users\Admin\AppData\Local\Temp\4c9d608c21b9fa8bbb70b5356e947adb.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4C9D60~1.EXE > nul
  2⤵
  PID:2884

C:\Windows\SysWOW64\windows.exe
C:\Windows\SysWOW64\windows.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 212
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\windows.exe > nul
  2⤵
  PID:2856

C:\Users\Admin\AppData\Local\Temp\18566.dat

Filesize
224B

MD5
037dc86d4f46afc60d1a8bdd42611055

SHA1
de5b73eec7da04aaea5e00bac367c015c2487030

SHA256
c7905fb0cf87bf590c9602853d2f1fb3ba918202b1041a1b0b106a4ab2eb9ff7

SHA512
7c0658daaaa7c623c168a02deac423bee4330bdc3c4a6051bd7277619d4d6ae365334096b3b5f95d6ac6722654c5d0e93412b28efa06b5a93f4a776766509f79

Download Submit
C:\Windows\SysWOW64\drivers\beep.sys

Filesize
3KB

MD5
3ebdb873a18aecc8d4b6c3b39002c0ea

SHA1
c465747641c9cff0faeaba8fca5558a459545bfd

SHA256
c87d8835a362be5f4e8506afb7be753cb562a7a950417df0ec7e781a0ba846bd

SHA512
77b955e6988ec1df46298505b8a2c68aaa86ccc5f7df0a66694e737ebe64326ab0ed788b156c280e207241c1815ffc16e6d1ed3e2cbf5a8a9c5cb7d990da2189

Download Submit
C:\Windows\SysWOW64\windows.dll

Filesize
45KB

MD5
44a4d85742e4c03c3ced147a9ba34386

SHA1
171849a73d9050eaad20f737ccdd27ae26f7b5cb

SHA256
b00931d8e3d7380a2a8792246441f2a8bd1bdd8902d9366cd1c66b9681488601

SHA512
389300a19f537eea2a70237ffbdbde59bb98d97d761cc31d8a6dbc90412082e6876ebe9f482672170262ac9723057b98added2f710a0bf82f369e2f23d73335a

Download Submit
C:\Windows\SysWOW64\windows.exe

Filesize
61KB

MD5
4c9d608c21b9fa8bbb70b5356e947adb

SHA1
c87c1f1c6e4a8852f97a1ac82ea1d0fb55b3ec8f

SHA256
eb0a30224a7630235397140f9febee8643ab81af45e7e282d720aec37a047dde

SHA512
7bb692c6dd3c4efc84833e1bff33f6d39ee83aaf4c7f3acab3c4d72f7aedff8a4d9cd1c5b0cf2405d465cab3bd031225da3fd3d2f738fc4c349322780e3a22c6

Download Submit