de54a5e0dec0660441f8043d39bcb4eb28ec296f3712d353b8d68fcba5e12cd8

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4efe3d8f510547ea9bc0eeb8c3cbca68.exe
Size

367KB
MD5

4efe3d8f510547ea9bc0eeb8c3cbca68
SHA1

840b756f168503eb5936515f9b4b68e0d63b306d
SHA256

de54a5e0dec0660441f8043d39bcb4eb28ec296f3712d353b8d68fcba5e12cd8
SHA512

d6ddd1eb1acdfd7cc719019b6fc30959aeb55b6790075fc02cbc6936e87c317199dabdaf650b693d22583dffbfbc7af5d21da229d665fe40e1e198eaaa039b6e
SSDEEP

6144:GD+0Mb3W/sEZm6YTmfpUaY6vvYttf+NsB1OnCSntQ1FcO3MHludq:GD+Z6/swJYTwM6ntNsrOCSa1P3akc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2820	svchost

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1852	4efe3d8f510547ea9bc0eeb8c3cbca68.exe
2820	svchost

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchost	4efe3d8f510547ea9bc0eeb8c3cbca68.exe
File opened for modification	C:\Windows\svchost	4efe3d8f510547ea9bc0eeb8c3cbca68.exe
File created	C:\Windows\uninstal.bat	4efe3d8f510547ea9bc0eeb8c3cbca68.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	4efe3d8f510547ea9bc0eeb8c3cbca68.exe
Token: SeDebugPrivilege	2820	svchost

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2820	svchost

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2688	2820	svchost	29
PID 2820 wrote to memory of 2688	2820	svchost	29
PID 2820 wrote to memory of 2688	2820	svchost	29
PID 2820 wrote to memory of 2688	2820	svchost	29
PID 1852 wrote to memory of 2752	1852	4efe3d8f510547ea9bc0eeb8c3cbca68.exe	30
PID 1852 wrote to memory of 2752	1852	4efe3d8f510547ea9bc0eeb8c3cbca68.exe	30
PID 1852 wrote to memory of 2752	1852	4efe3d8f510547ea9bc0eeb8c3cbca68.exe	30
PID 1852 wrote to memory of 2752	1852	4efe3d8f510547ea9bc0eeb8c3cbca68.exe	30
PID 1852 wrote to memory of 2752	1852	4efe3d8f510547ea9bc0eeb8c3cbca68.exe	30
PID 1852 wrote to memory of 2752	1852	4efe3d8f510547ea9bc0eeb8c3cbca68.exe	30
PID 1852 wrote to memory of 2752	1852	4efe3d8f510547ea9bc0eeb8c3cbca68.exe	30

C:\Users\Admin\AppData\Local\Temp\4efe3d8f510547ea9bc0eeb8c3cbca68.exe
"C:\Users\Admin\AppData\Local\Temp\4efe3d8f510547ea9bc0eeb8c3cbca68.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2752

C:\Windows\svchost
C:\Windows\svchost
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Program Files\Internet Explorer\IexplOrE.ExE
  "C:\Program Files\Internet Explorer\IexplOrE.ExE"
  2⤵
  PID:2688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost

Filesize
367KB

MD5
4efe3d8f510547ea9bc0eeb8c3cbca68

SHA1
840b756f168503eb5936515f9b4b68e0d63b306d

SHA256
de54a5e0dec0660441f8043d39bcb4eb28ec296f3712d353b8d68fcba5e12cd8

SHA512
d6ddd1eb1acdfd7cc719019b6fc30959aeb55b6790075fc02cbc6936e87c317199dabdaf650b693d22583dffbfbc7af5d21da229d665fe40e1e198eaaa039b6e

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
5aaf6167bc444626a21e417f0316ae6f

SHA1
e070c0c25b033b3600e993a00435dfb571e8789a

SHA256
261d9aa36f6c2b04ceb0e863358e5d84c426e9b420ba6064bc227c1e8dbb886b

SHA512
8bf464d6a618930c7db211b0574b53a75aa32b846afec94e7a2309581c2e0703f12c91d9316709291009409f9c50ea90ed0b31abf85a6d54a7e51f2462b2941c

Download Submit
memory/1852-2-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1852-1-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/1852-0-0x0000000000400000-0x00000000004E3E44-memory.dmp

Filesize
911KB

Download
memory/1852-16-0x0000000000400000-0x00000000004E3E44-memory.dmp

Filesize
911KB

Download
memory/2820-7-0x0000000001CA0000-0x0000000001CA2000-memory.dmp

Filesize
8KB

Download
memory/2820-8-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/2820-18-0x0000000000400000-0x00000000004E3E44-memory.dmp

Filesize
911KB

Download
memory/2820-19-0x0000000000400000-0x00000000004E3E44-memory.dmp

Filesize
911KB

Download
memory/2820-20-0x0000000001CA0000-0x0000000001CA2000-memory.dmp

Filesize
8KB

Download
memory/2820-22-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/2820-26-0x0000000000400000-0x00000000004E3E44-memory.dmp

Filesize
911KB

Download