88a2cbdfece2d1a900fd6da5152bbf8cd41375eab9bc4ccb53448879646f7006

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08-01-2024 20:26

Target

4c617e0ea26bac4543b48001cea54686.exe
Size

16KB
MD5

4c617e0ea26bac4543b48001cea54686
SHA1

730cb3d2591406075b2bdd4e57bc1a2001f11a68
SHA256

88a2cbdfece2d1a900fd6da5152bbf8cd41375eab9bc4ccb53448879646f7006
SHA512

c9bd5002682b9fadf36826cbd4cc8b062e91a4915fa54cacff5d014453b2379e26dbbf67a5a2c102c20362d44512fae73689a541a5b2197cc760ff13e050a7e4
SSDEEP

384:8MeEW+QwfFQQg2bB+VNkr/qc2SkxThSlm3njVyBDPO3EkkcfXeARipr:8MhSp4+syc2SxE3jsWUkXXeHpr

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2368	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1744	4c617e0ea26bac4543b48001cea54686.exe
1744	4c617e0ea26bac4543b48001cea54686.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\videodevice.dll	4c617e0ea26bac4543b48001cea54686.exe
File opened for modification	C:\Windows\SysWOW64\gdwli32.cfg	4c617e0ea26bac4543b48001cea54686.exe
File opened for modification	C:\Windows\SysWOW64\gdwli32.dll	4c617e0ea26bac4543b48001cea54686.exe
File created	C:\Windows\SysWOW64\gdwli32.dll	4c617e0ea26bac4543b48001cea54686.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
1744	4c617e0ea26bac4543b48001cea54686.exe
464	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1744	4c617e0ea26bac4543b48001cea54686.exe
Token: SeDebugPrivilege	1744	4c617e0ea26bac4543b48001cea54686.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1388	1744	4c617e0ea26bac4543b48001cea54686.exe	22
PID 1744 wrote to memory of 2368	1744	4c617e0ea26bac4543b48001cea54686.exe	17
PID 1744 wrote to memory of 2368	1744	4c617e0ea26bac4543b48001cea54686.exe	17
PID 1744 wrote to memory of 2368	1744	4c617e0ea26bac4543b48001cea54686.exe	17
PID 1744 wrote to memory of 2368	1744	4c617e0ea26bac4543b48001cea54686.exe	17

C:\Users\Admin\AppData\Local\Temp\4c617e0ea26bac4543b48001cea54686.exe
"C:\Users\Admin\AppData\Local\Temp\4c617e0ea26bac4543b48001cea54686.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\4c617e0ea26bac4543b48001cea54686.exe"
  2⤵
  - Deletes itself
  PID:2368

\Windows\SysWOW64\videodevice.dll

Filesize
4KB

MD5
4fb4d73613efbe912e2c930f0f15c2e2

SHA1
953ea3b28b33259ebf0ddbd8de9015c11a6307b8

SHA256
f5d256e5f53a73b6dcc3683c6cc9f13e5c1eaf6b831d85babebed87f5b4630b2

SHA512
f1d1ee74bc0cc0931283f34f3f2520e8141a280ed3555c9cc5d3a28acbcb929a37a8af04a219b86748cd205dae7d9068b51b12a410ae0cfefe3a1271345dd90f

Download Submit
memory/1388-8-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1744-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1744-9-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1744-7-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download