78e1b7734a74a9aecc45334d34d750e53523c5c99a855066d0e36aba29753011 | Triage

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 16:44

Sharing

Report Analysis Logs

General

Target

74fffc33648d3f6da249d0ce61d17f2f.exe
Size

21KB
MD5

74fffc33648d3f6da249d0ce61d17f2f
SHA1

925c03dbb036852995de31c19afe819336e62374
SHA256

78e1b7734a74a9aecc45334d34d750e53523c5c99a855066d0e36aba29753011
SHA512

7333d9fbb8e6654b4281949117e81a4ffd05de6336d4011d24343e7e75860b1e6d3010e4a6c2613aa3db300c1fbf5713f8a3eb61dcdc8e96731a9b4cc4c96969
SSDEEP

384:/syLKhQKLpFGANNQOgQuP0ACk7UqZ1esjYE0W:/syLKDF1NNQOFu44UKe

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2552 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Wdost.exe

pid process

3068 Wdost.exe
Loads dropped DLL 2 IoCs

Processes:

74fffc33648d3f6da249d0ce61d17f2f.exe

pid process

2996 74fffc33648d3f6da249d0ce61d17f2f.exe
2996 74fffc33648d3f6da249d0ce61d17f2f.exe

Drops file in System32 directory 3 IoCs

Processes:

74fffc33648d3f6da249d0ce61d17f2f.exeWdost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Wdost.exe	74fffc33648d3f6da249d0ce61d17f2f.exe
File opened for modification	C:\Windows\SysWOW64\Wdost.exe	74fffc33648d3f6da249d0ce61d17f2f.exe
File created	C:\Windows\SysWOW64\Wdost.exe	Wdost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

74fffc33648d3f6da249d0ce61d17f2f.exeWdost.exe

description pid process

Token: SeIncBasePriorityPrivilege 2996 74fffc33648d3f6da249d0ce61d17f2f.exe
Token: SeIncBasePriorityPrivilege 3068 Wdost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

74fffc33648d3f6da249d0ce61d17f2f.exeWdost.exe

description	pid	process	target process
PID 2996 wrote to memory of 3068	2996	74fffc33648d3f6da249d0ce61d17f2f.exe	Wdost.exe
PID 2996 wrote to memory of 3068	2996	74fffc33648d3f6da249d0ce61d17f2f.exe	Wdost.exe
PID 2996 wrote to memory of 3068	2996	74fffc33648d3f6da249d0ce61d17f2f.exe	Wdost.exe
PID 2996 wrote to memory of 3068	2996	74fffc33648d3f6da249d0ce61d17f2f.exe	Wdost.exe
PID 2996 wrote to memory of 2552	2996	74fffc33648d3f6da249d0ce61d17f2f.exe	cmd.exe
PID 2996 wrote to memory of 2552	2996	74fffc33648d3f6da249d0ce61d17f2f.exe	cmd.exe
PID 2996 wrote to memory of 2552	2996	74fffc33648d3f6da249d0ce61d17f2f.exe	cmd.exe
PID 2996 wrote to memory of 2552	2996	74fffc33648d3f6da249d0ce61d17f2f.exe	cmd.exe
PID 3068 wrote to memory of 2832	3068	Wdost.exe	cmd.exe
PID 3068 wrote to memory of 2832	3068	Wdost.exe	cmd.exe
PID 3068 wrote to memory of 2832	3068	Wdost.exe	cmd.exe
PID 3068 wrote to memory of 2832	3068	Wdost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\74fffc33648d3f6da249d0ce61d17f2f.exe
"C:\Users\Admin\AppData\Local\Temp\74fffc33648d3f6da249d0ce61d17f2f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\Wdost.exe
"C:\Windows\system32\Wdost.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\Wdost.exe > nul
3⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\74FFFC~1.EXE > nul
2⤵
- Deletes itself
PID:2552

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Wdost.exe
Filesize
21KB

MD5
74fffc33648d3f6da249d0ce61d17f2f

SHA1
925c03dbb036852995de31c19afe819336e62374

SHA256
78e1b7734a74a9aecc45334d34d750e53523c5c99a855066d0e36aba29753011

SHA512
7333d9fbb8e6654b4281949117e81a4ffd05de6336d4011d24343e7e75860b1e6d3010e4a6c2613aa3db300c1fbf5713f8a3eb61dcdc8e96731a9b4cc4c96969

Download Submit