bdc3c1553bbc7656e1b1337b116c64ad5d3c6e92b9c59a88e8695c08cbd1a96e

Analysis

max time kernel
121s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 07:03

Target

55cc21ce1beae463a4a6a9c9296e29b8.exe
Size

27KB
MD5

55cc21ce1beae463a4a6a9c9296e29b8
SHA1

9ffa06a816471e53253f4403ecf254b3c61b4107
SHA256

bdc3c1553bbc7656e1b1337b116c64ad5d3c6e92b9c59a88e8695c08cbd1a96e
SHA512

5703e67e392fc670ebcad5431dbc966bc38e3fbe3003021bf9324e7da0e1c65f92dea81201910fcd7d77bd69b0ce3aad14ed5f353aa148a37e52fa558cd48241
SSDEEP

768:G8aKH1BMPGjlqVg19YILWjujkfEwAXKGomAoli3Lb:yKH1B0Gjlag17Wk2Ew2KG1A33n

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1940	regsvr32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\t329155.ini	55cc21ce1beae463a4a6a9c9296e29b8.exe
File created	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1636	55cc21ce1beae463a4a6a9c9296e29b8.exe
1636	55cc21ce1beae463a4a6a9c9296e29b8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2284	1636	55cc21ce1beae463a4a6a9c9296e29b8.exe	14
PID 1636 wrote to memory of 2284	1636	55cc21ce1beae463a4a6a9c9296e29b8.exe	14
PID 1636 wrote to memory of 2284	1636	55cc21ce1beae463a4a6a9c9296e29b8.exe	14
PID 1636 wrote to memory of 2284	1636	55cc21ce1beae463a4a6a9c9296e29b8.exe	14
PID 2284 wrote to memory of 1940	2284	cmd.exe	17
PID 2284 wrote to memory of 1940	2284	cmd.exe	17
PID 2284 wrote to memory of 1940	2284	cmd.exe	17
PID 2284 wrote to memory of 1940	2284	cmd.exe	17
PID 2284 wrote to memory of 1940	2284	cmd.exe	17
PID 2284 wrote to memory of 1940	2284	cmd.exe	17
PID 2284 wrote to memory of 1940	2284	cmd.exe	17

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\~~f768a45.~~~" ,C:\Users\Admin\AppData\Local\Temp\55cc21ce1beae463a4a6a9c9296e29b8.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\~~f768a45.~~~" ,C:\Users\Admin\AppData\Local\Temp\55cc21ce1beae463a4a6a9c9296e29b8.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1940

C:\Users\Admin\AppData\Local\Temp\~~f768a45.~~~

Filesize
37KB

MD5
f68e834484cc7cc357322a54f883a4c2

SHA1
dc660aabf2c7fd56020f95771ec58a50efa51fd6

SHA256
d3396f8ebce6244ee04368c6955730897106bf0c2b2b6da4742285f14c60727d

SHA512
518c6167a70a6db5e02e0c95e9c33cc9872e0528760d005ea97b856bd32729604f32a75542646b3e13c903e7ee71e465526c5e91a4865b3dc0b144dd3fba6ef5

Download Submit
\Users\Admin\AppData\Local\Temp\~~f768a45.~~~

Filesize
103KB

MD5
34f9a7928f233544452a11bd5c4e7ffb

SHA1
92cedf78118cc4f768cf6d18865b74f77c42db64

SHA256
ec6757a5baddf79bd90a839eaae12c9db63d043d3db1e8edb91ff2761e70d12d

SHA512
63213c2d858bfe559af164b49486af9d5fa6cdb1bc34c08dcde5a40a7b18d2e8af0032293da60cec625fa86f4963a25c8ef0d13efcef48d948f885ce91828ff2

Download Submit