94b061369f9953e4e1389b2b350541067715f9c1640a4054610b76ffe2bd1904

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 17:12

Target

659494645c99d6bf0ccbce45a27c311d.exe
Size

30KB
MD5

659494645c99d6bf0ccbce45a27c311d
SHA1

7cf98664c348e2e3e37bd33727428043f477b75d
SHA256

94b061369f9953e4e1389b2b350541067715f9c1640a4054610b76ffe2bd1904
SHA512

e2cf3627372b3d2c097b45c25b8a2f0789e992762cfee56426bbc5826e1108a617b2bbe5564bf1900aac3a52b928037c894979c657f1012050f3257ea1e5e455
SSDEEP

384:UVOAa005VlVcDuSnjYE0Wiqkc7qOVGOTGekh:2N+vVcDuSkql7q1OTtkh

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2200	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	svchcst.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\service.bak	svchcst.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchcst.exe	659494645c99d6bf0ccbce45a27c311d.exe
File opened for modification	C:\Windows\svchcst.exe	659494645c99d6bf0ccbce45a27c311d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeRestorePrivilege	2992	svchcst.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2992	2076	659494645c99d6bf0ccbce45a27c311d.exe	28
PID 2076 wrote to memory of 2992	2076	659494645c99d6bf0ccbce45a27c311d.exe	28
PID 2076 wrote to memory of 2992	2076	659494645c99d6bf0ccbce45a27c311d.exe	28
PID 2076 wrote to memory of 2992	2076	659494645c99d6bf0ccbce45a27c311d.exe	28
PID 2076 wrote to memory of 2200	2076	659494645c99d6bf0ccbce45a27c311d.exe	29
PID 2076 wrote to memory of 2200	2076	659494645c99d6bf0ccbce45a27c311d.exe	29
PID 2076 wrote to memory of 2200	2076	659494645c99d6bf0ccbce45a27c311d.exe	29
PID 2076 wrote to memory of 2200	2076	659494645c99d6bf0ccbce45a27c311d.exe	29

C:\Users\Admin\AppData\Local\Temp\659494645c99d6bf0ccbce45a27c311d.exe
"C:\Users\Admin\AppData\Local\Temp\659494645c99d6bf0ccbce45a27c311d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\svchcst.exe
  "C:\Windows\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\rs.bat C:\Users\Admin\AppData\Local\Temp\659494645c99d6bf0ccbce45a27c311d.exe
  2⤵
  - Deletes itself
  PID:2200

C:\Users\Admin\AppData\Local\Temp\rs.bat

Filesize
105B

MD5
c33c3bd528b74ef8e010cd3b5f3950aa

SHA1
c8fafd5f2a514aaf64259565aaae8d0450444be3

SHA256
4a9b066077e5b57aaf2d54e23c023ed6558b89d4955a0f94e5c39257ad7e9df8

SHA512
92e85b2a6ea5d06b9258f37ded20605807fd26ec3b402452e90cde26148f05b609f336e6844b92d0357e84ba462ba9acab7ea1ee3de1693b7955301f458e87c9

Download Submit
C:\Windows\svchcst.exe

Filesize
30KB

MD5
659494645c99d6bf0ccbce45a27c311d

SHA1
7cf98664c348e2e3e37bd33727428043f477b75d

SHA256
94b061369f9953e4e1389b2b350541067715f9c1640a4054610b76ffe2bd1904

SHA512
e2cf3627372b3d2c097b45c25b8a2f0789e992762cfee56426bbc5826e1108a617b2bbe5564bf1900aac3a52b928037c894979c657f1012050f3257ea1e5e455

Download Submit
memory/2076-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2076-8-0x00000000002B0000-0x00000000002BB000-memory.dmp

Filesize
44KB

Download
memory/2076-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2992-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download