49c2d49a522080c497f0c88e6d2a3fc7697251d8e5e8a6d90564d750490e975c

Analysis

max time kernel
141s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-01-2024 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b204c96696a5e90f6ab477bdbd173a7.exe
Size

29KB
MD5

5b204c96696a5e90f6ab477bdbd173a7
SHA1

6a5dec1b90f0891df821164bcd6ff500f8248e14
SHA256

49c2d49a522080c497f0c88e6d2a3fc7697251d8e5e8a6d90564d750490e975c
SHA512

5032c7175775ad7c15eb3b3720f7ac4f5a217406dd47a911308eee7994f06452dc9d7b048a162caad921637b399d26685dcc2aa2d53594313b8c726a3048e7ba
SSDEEP

768:TT4pLslEgAopLDJhRmFs70tunbcuyD7UmN:TsFoEgAiDUF8Fnouy8q

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
808	5b204c96696a5e90f6ab477bdbd173a7.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259409866.DLL	5b204c96696a5e90f6ab477bdbd173a7.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\rfdltecq\nfoifz.pif	5b204c96696a5e90f6ab477bdbd173a7.exe
File opened for modification	C:\Program Files (x86)\Common Files\rfdltecq\nfoifz.pif	5b204c96696a5e90f6ab477bdbd173a7.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	5b204c96696a5e90f6ab477bdbd173a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\ = "C:\\Windows\\SysWow64\\259409866.DLL"	5b204c96696a5e90f6ab477bdbd173a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32	5b204c96696a5e90f6ab477bdbd173a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5b204c96696a5e90f6ab477bdbd173a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5b204c96696a5e90f6ab477bdbd173a7.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe
808	5b204c96696a5e90f6ab477bdbd173a7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	808	5b204c96696a5e90f6ab477bdbd173a7.exe
Token: SeDebugPrivilege	808	5b204c96696a5e90f6ab477bdbd173a7.exe

C:\Users\Admin\AppData\Local\Temp\5b204c96696a5e90f6ab477bdbd173a7.exe
"C:\Users\Admin\AppData\Local\Temp\5b204c96696a5e90f6ab477bdbd173a7.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\259409866.DLL

Filesize
8.0MB

MD5
f4e93c77af9e45cd897abaf08c44efeb

SHA1
4eeb43953cf7383cda9dbf707493e5f5263aec27

SHA256
8503197c43ac08d7d7640e917f4dff34026aac414f4b9dd46f267d021ce1cd2f

SHA512
5f8a57bac5430b32671f2922938514c5eaa73c192efd3c5941603121ed7c9c535206cb49da72d327d4ccf95edc7655af86c392481368ae40608285698b5f4ce1

Download Submit
memory/808-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/808-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download