95b6152a0b1def35e594162d42f00d5f1f09baeb155b96c23661fd08b6b1d462

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 21:08

Target

72dc26bc38fedd86606e13e7c2015c2d.exe
Size

8KB
MD5

72dc26bc38fedd86606e13e7c2015c2d
SHA1

afbb8d273e46083b574f984823ecd82c0718c126
SHA256

95b6152a0b1def35e594162d42f00d5f1f09baeb155b96c23661fd08b6b1d462
SHA512

361a5700861e58c4873994c325b81cc9cedd15996746c581cc37e2cff9004ba1c36cc3941f62a9ab2b18d88a2729a4658ea5b4b333955001f819809d8929d728
SSDEEP

192:rLTXi8BFu6WPzD0pgEhnordBxBMBg3y/94KD9Vm3fYLlL4B:vTfFu6s6hoZBD13y/9/kfY5i

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2412	72dc26bc38fedd86606e13e7c2015c2d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\72dc26bc38fedd86606e13e7c2015c2d.exe	72dc26bc38fedd86606e13e7c2015c2d.exe
File opened for modification	C:\Windows\SysWOW64\72dc26bc38fedd86606e13e7c2015c2d.exe	72dc26bc38fedd86606e13e7c2015c2d.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2124	72dc26bc38fedd86606e13e7c2015c2d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2676	2124	72dc26bc38fedd86606e13e7c2015c2d.exe	29
PID 2124 wrote to memory of 2676	2124	72dc26bc38fedd86606e13e7c2015c2d.exe	29
PID 2124 wrote to memory of 2676	2124	72dc26bc38fedd86606e13e7c2015c2d.exe	29
PID 2124 wrote to memory of 2676	2124	72dc26bc38fedd86606e13e7c2015c2d.exe	29

C:\Users\Admin\AppData\Local\Temp\72dc26bc38fedd86606e13e7c2015c2d.exe
"C:\Users\Admin\AppData\Local\Temp\72dc26bc38fedd86606e13e7c2015c2d.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\72DC26~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2676

C:\Windows\SysWOW64\72dc26bc38fedd86606e13e7c2015c2d.exe
C:\Windows\SysWOW64\72dc26bc38fedd86606e13e7c2015c2d.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\SysWOW64\72dc26bc38fedd86606e13e7c2015c2d.exe

Filesize
8KB

MD5
72dc26bc38fedd86606e13e7c2015c2d

SHA1
afbb8d273e46083b574f984823ecd82c0718c126

SHA256
95b6152a0b1def35e594162d42f00d5f1f09baeb155b96c23661fd08b6b1d462

SHA512
361a5700861e58c4873994c325b81cc9cedd15996746c581cc37e2cff9004ba1c36cc3941f62a9ab2b18d88a2729a4658ea5b4b333955001f819809d8929d728

Download Submit
memory/2124-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2124-4-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2412-3-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2412-5-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download