569a48bd5b72021c8575a66289aa4ff67a95fa384e731862a6dd2d6d5a63786c

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 09:15

Target

4b09e28557437858ce79b8aa41efc628.exe
Size

20KB
MD5

4b09e28557437858ce79b8aa41efc628
SHA1

e7f88fa85e4ded92ed936e96a1c46866ed11e08e
SHA256

569a48bd5b72021c8575a66289aa4ff67a95fa384e731862a6dd2d6d5a63786c
SHA512

d58777555bf5e8411e17aa7f4f81f588656645fc7469a690f090d551ba868c1d54df03dd2b109017c6fdd7459c96f6381075fca03a57c8650d7021c5bb1358b2
SSDEEP

384:oUHbYVQF9kQ7eMnCOyoGKi5yKBPoyeMcgNQ+YO3sxyJ4RjIr:p7YVg7e5bt3P7eMzNQ+Yq6RIr

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2216	4b09e28557437858ce79b8aa41efc628.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rxjhatl.dll	4b09e28557437858ce79b8aa41efc628.exe
File created	C:\Windows\SysWOW64\mseam.sys	4b09e28557437858ce79b8aa41efc628.exe
File created	C:\Windows\SysWOW64\sqmapi32.dll	4b09e28557437858ce79b8aa41efc628.exe
File opened for modification	C:\Windows\SysWOW64\rxjhatl.cfg	4b09e28557437858ce79b8aa41efc628.exe
File opened for modification	C:\Windows\SysWOW64\rxjhatl.dll	4b09e28557437858ce79b8aa41efc628.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2216	4b09e28557437858ce79b8aa41efc628.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2216	4b09e28557437858ce79b8aa41efc628.exe
468	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2216	4b09e28557437858ce79b8aa41efc628.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2740	2216	4b09e28557437858ce79b8aa41efc628.exe	19
PID 2216 wrote to memory of 2740	2216	4b09e28557437858ce79b8aa41efc628.exe	19
PID 2216 wrote to memory of 2740	2216	4b09e28557437858ce79b8aa41efc628.exe	19
PID 2216 wrote to memory of 2740	2216	4b09e28557437858ce79b8aa41efc628.exe	19

C:\Users\Admin\AppData\Local\Temp\4b09e28557437858ce79b8aa41efc628.exe
"C:\Users\Admin\AppData\Local\Temp\4b09e28557437858ce79b8aa41efc628.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\4b09e28557437858ce79b8aa41efc628.exe"
  2⤵
  - Deletes itself
  PID:2740

\Windows\SysWOW64\sqmapi32.dll

Filesize
9KB

MD5
85cb5a1551f8e7a11f0f4ed03eef5c8d

SHA1
cf642ab3f5c1b11c3406cf39133133a5b81b57ae

SHA256
60e9c07831eca24c5d3ae2417aeeefd6a76b33d223d2fabf5bf57e4fa8738a80

SHA512
585e32c7561b00875c0ecc35f87c8f11bbf5189c867056f685a86a503ec1b87a054ecf125f61a536acc52b5f0649152270b2f0d58a354eb824d3bc8f9dfa65ea

Download Submit