117efa1241dfc7e4763d7aa1c31ceeacc37a8e98edc5487d92e2e1f0036d251d

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67da18dc4d3fea8065172205c8631180.exe
Size

163KB
MD5

67da18dc4d3fea8065172205c8631180
SHA1

6f0165d47e6d611d56cc9d27fef0c031ca3f8af6
SHA256

117efa1241dfc7e4763d7aa1c31ceeacc37a8e98edc5487d92e2e1f0036d251d
SHA512

d8c70b874dd8d8f3f0d7176aa29f4d476903e997f557b76fb299b1741643f9aa480a29310cbb6440d9634713ecd2dc13546e3d929913011493e7fd75cf5d0e33
SSDEEP

3072:ONCWi6oqnDtL+qvFuhjpGbpV4kHs2vh6F5k/TxjOSl6J:qCuEvF50Vja

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3028	67da18dc4d3fea8065172205c8631180.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe
3028	67da18dc4d3fea8065172205c8631180.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	67da18dc4d3fea8065172205c8631180.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 384	3028	67da18dc4d3fea8065172205c8631180.exe	25
PID 3028 wrote to memory of 384	3028	67da18dc4d3fea8065172205c8631180.exe	25
PID 3028 wrote to memory of 384	3028	67da18dc4d3fea8065172205c8631180.exe	25
PID 3028 wrote to memory of 384	3028	67da18dc4d3fea8065172205c8631180.exe	25
PID 3028 wrote to memory of 384	3028	67da18dc4d3fea8065172205c8631180.exe	25
PID 3028 wrote to memory of 384	3028	67da18dc4d3fea8065172205c8631180.exe	25
PID 3028 wrote to memory of 384	3028	67da18dc4d3fea8065172205c8631180.exe	25
PID 3028 wrote to memory of 396	3028	67da18dc4d3fea8065172205c8631180.exe	24
PID 3028 wrote to memory of 396	3028	67da18dc4d3fea8065172205c8631180.exe	24
PID 3028 wrote to memory of 396	3028	67da18dc4d3fea8065172205c8631180.exe	24
PID 3028 wrote to memory of 396	3028	67da18dc4d3fea8065172205c8631180.exe	24
PID 3028 wrote to memory of 396	3028	67da18dc4d3fea8065172205c8631180.exe	24
PID 3028 wrote to memory of 396	3028	67da18dc4d3fea8065172205c8631180.exe	24
PID 3028 wrote to memory of 396	3028	67da18dc4d3fea8065172205c8631180.exe	24
PID 3028 wrote to memory of 432	3028	67da18dc4d3fea8065172205c8631180.exe	23
PID 3028 wrote to memory of 432	3028	67da18dc4d3fea8065172205c8631180.exe	23
PID 3028 wrote to memory of 432	3028	67da18dc4d3fea8065172205c8631180.exe	23
PID 3028 wrote to memory of 432	3028	67da18dc4d3fea8065172205c8631180.exe	23
PID 3028 wrote to memory of 432	3028	67da18dc4d3fea8065172205c8631180.exe	23
PID 3028 wrote to memory of 432	3028	67da18dc4d3fea8065172205c8631180.exe	23
PID 3028 wrote to memory of 432	3028	67da18dc4d3fea8065172205c8631180.exe	23
PID 3028 wrote to memory of 476	3028	67da18dc4d3fea8065172205c8631180.exe	22
PID 3028 wrote to memory of 476	3028	67da18dc4d3fea8065172205c8631180.exe	22
PID 3028 wrote to memory of 476	3028	67da18dc4d3fea8065172205c8631180.exe	22
PID 3028 wrote to memory of 476	3028	67da18dc4d3fea8065172205c8631180.exe	22
PID 3028 wrote to memory of 476	3028	67da18dc4d3fea8065172205c8631180.exe	22
PID 3028 wrote to memory of 476	3028	67da18dc4d3fea8065172205c8631180.exe	22
PID 3028 wrote to memory of 476	3028	67da18dc4d3fea8065172205c8631180.exe	22
PID 3028 wrote to memory of 492	3028	67da18dc4d3fea8065172205c8631180.exe	21
PID 3028 wrote to memory of 492	3028	67da18dc4d3fea8065172205c8631180.exe	21
PID 3028 wrote to memory of 492	3028	67da18dc4d3fea8065172205c8631180.exe	21
PID 3028 wrote to memory of 492	3028	67da18dc4d3fea8065172205c8631180.exe	21
PID 3028 wrote to memory of 492	3028	67da18dc4d3fea8065172205c8631180.exe	21
PID 3028 wrote to memory of 492	3028	67da18dc4d3fea8065172205c8631180.exe	21
PID 3028 wrote to memory of 492	3028	67da18dc4d3fea8065172205c8631180.exe	21
PID 3028 wrote to memory of 500	3028	67da18dc4d3fea8065172205c8631180.exe	20
PID 3028 wrote to memory of 500	3028	67da18dc4d3fea8065172205c8631180.exe	20
PID 3028 wrote to memory of 500	3028	67da18dc4d3fea8065172205c8631180.exe	20
PID 3028 wrote to memory of 500	3028	67da18dc4d3fea8065172205c8631180.exe	20
PID 3028 wrote to memory of 500	3028	67da18dc4d3fea8065172205c8631180.exe	20
PID 3028 wrote to memory of 500	3028	67da18dc4d3fea8065172205c8631180.exe	20
PID 3028 wrote to memory of 500	3028	67da18dc4d3fea8065172205c8631180.exe	20
PID 3028 wrote to memory of 600	3028	67da18dc4d3fea8065172205c8631180.exe	19
PID 3028 wrote to memory of 600	3028	67da18dc4d3fea8065172205c8631180.exe	19
PID 3028 wrote to memory of 600	3028	67da18dc4d3fea8065172205c8631180.exe	19
PID 3028 wrote to memory of 600	3028	67da18dc4d3fea8065172205c8631180.exe	19
PID 3028 wrote to memory of 600	3028	67da18dc4d3fea8065172205c8631180.exe	19
PID 3028 wrote to memory of 600	3028	67da18dc4d3fea8065172205c8631180.exe	19
PID 3028 wrote to memory of 600	3028	67da18dc4d3fea8065172205c8631180.exe	19
PID 3028 wrote to memory of 676	3028	67da18dc4d3fea8065172205c8631180.exe	18
PID 3028 wrote to memory of 676	3028	67da18dc4d3fea8065172205c8631180.exe	18
PID 3028 wrote to memory of 676	3028	67da18dc4d3fea8065172205c8631180.exe	18
PID 3028 wrote to memory of 676	3028	67da18dc4d3fea8065172205c8631180.exe	18
PID 3028 wrote to memory of 676	3028	67da18dc4d3fea8065172205c8631180.exe	18
PID 3028 wrote to memory of 676	3028	67da18dc4d3fea8065172205c8631180.exe	18
PID 3028 wrote to memory of 676	3028	67da18dc4d3fea8065172205c8631180.exe	18
PID 3028 wrote to memory of 760	3028	67da18dc4d3fea8065172205c8631180.exe	17
PID 3028 wrote to memory of 760	3028	67da18dc4d3fea8065172205c8631180.exe	17
PID 3028 wrote to memory of 760	3028	67da18dc4d3fea8065172205c8631180.exe	17
PID 3028 wrote to memory of 760	3028	67da18dc4d3fea8065172205c8631180.exe	17
PID 3028 wrote to memory of 760	3028	67da18dc4d3fea8065172205c8631180.exe	17
PID 3028 wrote to memory of 760	3028	67da18dc4d3fea8065172205c8631180.exe	17
PID 3028 wrote to memory of 760	3028	67da18dc4d3fea8065172205c8631180.exe	17
PID 3028 wrote to memory of 816	3028	67da18dc4d3fea8065172205c8631180.exe	16

C:\Users\Admin\AppData\Local\Temp\67da18dc4d3fea8065172205c8631180.exe
"C:\Users\Admin\AppData\Local\Temp\67da18dc4d3fea8065172205c8631180.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:1036

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2312

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1312

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:340

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:600

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:476

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3028-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3028-1-0x00000000001C0000-0x00000000001ED000-memory.dmp

Filesize
180KB

Download
memory/3028-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download