Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 11:42
Behavioral task
behavioral1
Sample
749d79c0ef193b24b2a68c9d0ca549fb.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
749d79c0ef193b24b2a68c9d0ca549fb.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
749d79c0ef193b24b2a68c9d0ca549fb.exe
-
Size
19KB
-
MD5
749d79c0ef193b24b2a68c9d0ca549fb
-
SHA1
0dd214a241660a25fbe63ebbe345c6bf60183fff
-
SHA256
7407c3f7835868fc442546aca2c06ebb8c7d715e9188a7b7af09622b0aa38bb7
-
SHA512
eff7d461ec20811c619868360b3b477522b909dd410359b1a637d0a78d347f2c4aaa5b95003239186091766382066f799ebe3f0d2687f7580accd4624dbe77e9
-
SSDEEP
384:A7ztciLzKXbi4EZtHZEEqeqLEGSCVXq8MhlH5:Sci3KXbcZt5xqer9Cw8qZ
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe -
resource yara_rule behavioral2/memory/3760-0-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral2/memory/3760-15-0x0000000000400000-0x0000000000413000-memory.dmp upx -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\gjbhr.dll 749d79c0ef193b24b2a68c9d0ca549fb.exe File opened for modification C:\Windows\SysWOW64\gjbhr.dll 749d79c0ef193b24b2a68c9d0ca549fb.exe File opened for modification C:\Windows\SysWOW64\lariytrz.cfg 749d79c0ef193b24b2a68c9d0ca549fb.exe File opened for modification C:\Windows\SysWOW64\lariytrz.dll 749d79c0ef193b24b2a68c9d0ca549fb.exe File created C:\Windows\SysWOW64\lariytrz.dll 749d79c0ef193b24b2a68c9d0ca549fb.exe File created C:\Windows\SysWOW64\hjk.dll 749d79c0ef193b24b2a68c9d0ca549fb.exe File opened for modification C:\Windows\SysWOW64\hjk.dll 749d79c0ef193b24b2a68c9d0ca549fb.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe Token: SeDebugPrivilege 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe Token: SeDebugPrivilege 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe Token: SeDebugPrivilege 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3760 wrote to memory of 3436 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 63 PID 3760 wrote to memory of 3436 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 63 PID 3760 wrote to memory of 1752 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 24 PID 3760 wrote to memory of 1752 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 24 PID 3760 wrote to memory of 4900 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 88 PID 3760 wrote to memory of 4900 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 88 PID 3760 wrote to memory of 4900 3760 749d79c0ef193b24b2a68c9d0ca549fb.exe 88
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1752
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\749d79c0ef193b24b2a68c9d0ca549fb.exe"C:\Users\Admin\AppData\Local\Temp\749d79c0ef193b24b2a68c9d0ca549fb.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\749d79c0ef193b24b2a68c9d0ca549fb.exe"3⤵PID:4900
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5d10ebf3bd9a02f1b62758c90f128e431
SHA1976e62f2a874bc452046157dfbe615a5c3a6f093
SHA256fe8c91b76d6294518c52dbba1f3af5829316bfd25c5b23b81380015f891837a7
SHA512ff856c6684659075b07dc9a584a55243877b3bae813757053454b1908fb8765827b6f910a4d7b8ced44e566fdbbd3b59ade378d16c7510138b60875e9a3c8390