Analysis
-
max time kernel
13s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 06:19
Static task
static1
Behavioral task
behavioral1
Sample
4fd0368a5c08dffe2002474254e3298a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4fd0368a5c08dffe2002474254e3298a.exe
Resource
win10v2004-20231222-en
General
-
Target
4fd0368a5c08dffe2002474254e3298a.exe
-
Size
443KB
-
MD5
4fd0368a5c08dffe2002474254e3298a
-
SHA1
80f73eca064862aeb0f52081c84bbfddcaa8b438
-
SHA256
aaabe3e2839e20b546e0ff144043ec6d185e82163554ef1b7c417e9032709e87
-
SHA512
bc194d42969a2bb4801ac26e66bb6a1d8a03f8ef6d89c43e7ab427af1deb335931b580deea376e5b63f6a1d337367cbe18389bd53ad3a9574d0ae1138dd18c19
-
SSDEEP
12288:nV/V1niLrRIRkB9sauAmApRCz7XaV7DxJpLRQ+bq5:58dIRkBjuLApYQjDFm
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2080 bEgEjMa07000.exe -
Loads dropped DLL 2 IoCs
pid Process 2180 4fd0368a5c08dffe2002474254e3298a.exe 2180 4fd0368a5c08dffe2002474254e3298a.exe -
resource yara_rule behavioral1/memory/2180-1-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2080-16-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2180-21-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2080-22-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2080-39-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2180-54-0x0000000000400000-0x00000000004B9000-memory.dmp upx -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2180 4fd0368a5c08dffe2002474254e3298a.exe Token: SeDebugPrivilege 2080 bEgEjMa07000.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2080 2180 4fd0368a5c08dffe2002474254e3298a.exe 28 PID 2180 wrote to memory of 2080 2180 4fd0368a5c08dffe2002474254e3298a.exe 28 PID 2180 wrote to memory of 2080 2180 4fd0368a5c08dffe2002474254e3298a.exe 28 PID 2180 wrote to memory of 2080 2180 4fd0368a5c08dffe2002474254e3298a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fd0368a5c08dffe2002474254e3298a.exe"C:\Users\Admin\AppData\Local\Temp\4fd0368a5c08dffe2002474254e3298a.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\ProgramData\bEgEjMa07000\bEgEjMa07000.exe"C:\ProgramData\bEgEjMa07000\bEgEjMa07000.exe" "C:\Users\Admin\AppData\Local\Temp\4fd0368a5c08dffe2002474254e3298a.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD585e65ffd04ebe372ebb6de97dfe4a5b0
SHA1e53dd89e5b4fc9f2851c1a4c5aee2d0e788f6163
SHA256cd382a98902204af66c117604f49882e21ccabfe4bd44e6af6a0fcc95698e223
SHA5126dd1fd4d55563c22d0ec00faffd2e590aa478e95c34cbf30ba90d054da8f96ed02b76383c69c9c73f868c665b477b01337ea885025a0d740f73334e8303eace5
-
Filesize
108KB
MD54af148896ad8510c1ce4ddc4f66484f4
SHA19c1a22850c65bf4fdba00af3dc40943f8673a74c
SHA256220e0823d0525ad4afedccf1c1c3ed4ddc1df1bc81a319eca03ddac4435b8b8a
SHA51241c769111f1ed50daf316bdd3a6c5f29a7d208bbc82641b730007b4a4c2c634f3b980531f1f8df0fd845ed801b71b5353930c8423ab1c15d87ae4ec477fc9be0
-
Filesize
52KB
MD52745bde27b6c1b0e5b7b5358219320a6
SHA1250d09e18bdcf4265d1e915bc3f196f96de80920
SHA256539a150c439bf245bc2a668358bc99602f044d14fd4106709c2a132d07bca5cd
SHA5125f49b37628f0c8ae2b3406e22561020ec3a5674cb4bd577ce13b80f38fc064a9a64401a354131ec6f40044da5fc1e308c267f7631e9ba6ff934ef824d73a63f1
-
Filesize
19KB
MD58ca4098a64a8896b0071c0ed81b18172
SHA125ab1f7df7151163c1678fca98fbc160f75b022b
SHA256748086bb4c088a067f5f56f9c65de1f95af0e8464244092436fc73d64dbb8fc1
SHA51242605a49c4602c5ecabaa49addb35f4c84f307d5fc1bb5b57b0433d23ab2df162c1ef2a4d75f8b77cc4a41f58b0313f0c7713f00d4bf76ad79ebcb1566dbba95
-
Filesize
64KB
MD50e33f8638b51051ce792a2e56e3e53a1
SHA1ee216451f301424b1fa388ac1054d12a95a5c4b8
SHA256f4f77ac5aa6346cfd367787751789b468e645d6f6053d4ee99cc8da8ea2d07a8
SHA5129ea1da584fd9effdf41458df309ceeb5e8350cf780553ddcae719b05172a17c18825d7d77e7a5fe6e8c5411220d9b2c5222675779ea9bfd1ca71332ef0fb5092