1a24bac6e985aa1097c14630dc9b42da6d6898b9e5b8b250854c832462b89b8d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 11:01

Target

65358c0c0b6572523d0154d8f48fe236.exe
Size

107KB
MD5

65358c0c0b6572523d0154d8f48fe236
SHA1

df60889bc0b2272fd66e326e7f35b8d8b0bec538
SHA256

1a24bac6e985aa1097c14630dc9b42da6d6898b9e5b8b250854c832462b89b8d
SHA512

acd682b379217c5afe4158d46c0e80ec3d53728be94a08e86e1750c8b69c9223c3c7c00e9fc58f11b6813ba665e86f31aef047be7292f276af1ae3ce4fa6571c
SSDEEP

1536:V2FBXSRWML2mVFKYLBTbRFZTricVFgTrCrMxTxBNci6BjuTJ4hfjYUidTgjrOKw7:VWARWMamGwVTVFT4TrCqTJ4hRi5geKw7

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
628	65358c0c0b6572523d0154d8f48fe236.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lfsjgf.cfg	65358c0c0b6572523d0154d8f48fe236.exe
File opened for modification	C:\Windows\SysWOW64\lfsjgf.dll	65358c0c0b6572523d0154d8f48fe236.exe
File created	C:\Windows\SysWOW64\lfsjgf.dll	65358c0c0b6572523d0154d8f48fe236.exe
File created	C:\Windows\SysWOW64\terple.sys	65358c0c0b6572523d0154d8f48fe236.exe
File created	C:\Windows\SysWOW64\sperls.dll	65358c0c0b6572523d0154d8f48fe236.exe
File opened for modification	C:\Windows\SysWOW64\sperls.dll	65358c0c0b6572523d0154d8f48fe236.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	65358c0c0b6572523d0154d8f48fe236.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 3596	628	65358c0c0b6572523d0154d8f48fe236.exe	48
PID 628 wrote to memory of 440	628	65358c0c0b6572523d0154d8f48fe236.exe	94
PID 628 wrote to memory of 440	628	65358c0c0b6572523d0154d8f48fe236.exe	94
PID 628 wrote to memory of 440	628	65358c0c0b6572523d0154d8f48fe236.exe	94

C:\Users\Admin\AppData\Local\Temp\65358c0c0b6572523d0154d8f48fe236.exe
"C:\Users\Admin\AppData\Local\Temp\65358c0c0b6572523d0154d8f48fe236.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\65358c0c0b6572523d0154d8f48fe236.exe"
  2⤵
  PID:440

C:\Windows\SysWOW64\lfsjgf.dll

Filesize
267KB

MD5
57563061db9d87d2ca9efd998b0bf453

SHA1
98e2da431d25ce28045a81d0a582e673ee60d849

SHA256
53bf5df4ff7713c42c945333923f5dd3cb0869bcfb59ad213a51f409656d19e6

SHA512
5c100b4cab5a4962b318fbae7e7ce6a50db5c8b257801f8ac41705e223d5c8bc34fc4e8e486ca1f4ed6f2ac82f3ec86b3617c68ea8f5dcdc74f6235c1c6b5360

Download Submit
memory/628-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download