a80493dc9447905331dbae9e82b43829a3ec91ae5e84f153717caf101fa8252e

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 10:57

Target

vcodec.exe
Size

17KB
MD5

45555252350271fb0d196aa9225f1632
SHA1

e8eea8cf8c23ed0194dde6252e958cf731689f0c
SHA256

c4e29183a4f3841431efa073ad07c073da8eee0ceb7002be12d6e3ae0a5238bc
SHA512

4bdb580d8584b9e836356c11557167650482ff2964d0e5eff4d25240c35920028ee59fd6fca315228859717761fe6156f0d53c6698294e60f6adf138ba37c5c5
SSDEEP

384:+OZgLkjxvVuCuZuCY8eVy0hQiUgLHekO0tXkdqZ8pOOpm9IJBQYb8:+wPjneY810b/CkO0Nk8Z2OOpmKBQYb8

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
860	mscornet.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	vcodec.exe
2220	vcodec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mscornet.exe	vcodec.exe
File created	C:\Windows\SysWOW64\ld39E5.tmp	mscornet.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
860	mscornet.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	vcodec.exe
Token: SeIncBasePriorityPrivilege	2220	vcodec.exe
Token: SeDebugPrivilege	860	mscornet.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2220	vcodec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 860	2220	vcodec.exe	28
PID 2220 wrote to memory of 860	2220	vcodec.exe	28
PID 2220 wrote to memory of 860	2220	vcodec.exe	28
PID 2220 wrote to memory of 860	2220	vcodec.exe	28
PID 2220 wrote to memory of 2744	2220	vcodec.exe	29
PID 2220 wrote to memory of 2744	2220	vcodec.exe	29
PID 2220 wrote to memory of 2744	2220	vcodec.exe	29
PID 2220 wrote to memory of 2744	2220	vcodec.exe	29
PID 860 wrote to memory of 420	860	mscornet.exe	23

C:\Users\Admin\AppData\Local\Temp\vcodec.exe
"C:\Users\Admin\AppData\Local\Temp\vcodec.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\mscornet.exe
  C:\Windows\system32\mscornet.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\vcodec.exe > nul
  2⤵
  - Deletes itself
  PID:2744

\Windows\SysWOW64\mscornet.exe

Filesize
14KB

MD5
b822a4882fa96fbd0c45db60cdcaae14

SHA1
17cf6ba010a864758a32704a58b11b893f78c4ac

SHA256
6c12a8bca37a2722ba7c56c3566dd971b0ce9508d9db7788cee20ee27776adf1

SHA512
a749f5c259e137a292efb616cc847b67cdb833247ccc53cfef8762cff52004429043d60dbefffa04bd58a1bfb5e47936be56490d807e3f6e6916fca717894613

Download Submit
memory/420-9-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download