afa32cb20d9d6fc74e1e4c692084d5ad1ec19c9d60e70d6c8a07cd12f6efd14c

Analysis

max time kernel
122s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 22:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e2548d691ad809f5cf7edcfca759ccb.exe
Size

52KB
MD5

7e2548d691ad809f5cf7edcfca759ccb
SHA1

5a0d1066e6058d101a7067f8c7307527e859673d
SHA256

afa32cb20d9d6fc74e1e4c692084d5ad1ec19c9d60e70d6c8a07cd12f6efd14c
SHA512

c199e7bf3affd95cf151f1e30879321e3d7851316c4735088aa415c3874bf481fbe6f6a9235a92251cea139f925cd8996c3ff42dd2484e6d692280e34d25f710
SSDEEP

1536:HFab5vy/BOX2yjHVLJIC+cA7vU+g2yQZz5:w8BOPjHVLJIRcA7vUJ2yu

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2452	7e2548d691ad809f5cf7edcfca759ccb.exe

Suspicious behavior: MapViewOfSection 23 IoCs

pid	Process
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe
2452	7e2548d691ad809f5cf7edcfca759ccb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	7e2548d691ad809f5cf7edcfca759ccb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 376	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	25
PID 2452 wrote to memory of 376	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	25
PID 2452 wrote to memory of 376	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	25
PID 2452 wrote to memory of 376	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	25
PID 2452 wrote to memory of 376	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	25
PID 2452 wrote to memory of 376	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	25
PID 2452 wrote to memory of 376	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	25
PID 2452 wrote to memory of 388	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	24
PID 2452 wrote to memory of 388	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	24
PID 2452 wrote to memory of 388	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	24
PID 2452 wrote to memory of 388	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	24
PID 2452 wrote to memory of 388	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	24
PID 2452 wrote to memory of 388	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	24
PID 2452 wrote to memory of 388	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	24
PID 2452 wrote to memory of 424	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	23
PID 2452 wrote to memory of 424	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	23
PID 2452 wrote to memory of 424	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	23
PID 2452 wrote to memory of 424	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	23
PID 2452 wrote to memory of 424	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	23
PID 2452 wrote to memory of 424	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	23
PID 2452 wrote to memory of 424	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	23
PID 2452 wrote to memory of 468	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	22
PID 2452 wrote to memory of 468	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	22
PID 2452 wrote to memory of 468	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	22
PID 2452 wrote to memory of 468	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	22
PID 2452 wrote to memory of 468	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	22
PID 2452 wrote to memory of 468	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	22
PID 2452 wrote to memory of 468	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	22
PID 2452 wrote to memory of 484	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	1
PID 2452 wrote to memory of 484	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	1
PID 2452 wrote to memory of 484	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	1
PID 2452 wrote to memory of 484	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	1
PID 2452 wrote to memory of 484	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	1
PID 2452 wrote to memory of 484	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	1
PID 2452 wrote to memory of 484	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	1
PID 2452 wrote to memory of 492	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	21
PID 2452 wrote to memory of 492	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	21
PID 2452 wrote to memory of 492	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	21
PID 2452 wrote to memory of 492	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	21
PID 2452 wrote to memory of 492	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	21
PID 2452 wrote to memory of 492	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	21
PID 2452 wrote to memory of 492	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	21
PID 2452 wrote to memory of 600	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	20
PID 2452 wrote to memory of 600	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	20
PID 2452 wrote to memory of 600	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	20
PID 2452 wrote to memory of 600	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	20
PID 2452 wrote to memory of 600	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	20
PID 2452 wrote to memory of 600	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	20
PID 2452 wrote to memory of 600	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	20
PID 2452 wrote to memory of 676	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	19
PID 2452 wrote to memory of 676	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	19
PID 2452 wrote to memory of 676	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	19
PID 2452 wrote to memory of 676	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	19
PID 2452 wrote to memory of 676	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	19
PID 2452 wrote to memory of 676	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	19
PID 2452 wrote to memory of 676	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	19
PID 2452 wrote to memory of 740	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	18
PID 2452 wrote to memory of 740	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	18
PID 2452 wrote to memory of 740	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	18
PID 2452 wrote to memory of 740	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	18
PID 2452 wrote to memory of 740	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	18
PID 2452 wrote to memory of 740	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	18
PID 2452 wrote to memory of 740	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	18
PID 2452 wrote to memory of 812	2452	7e2548d691ad809f5cf7edcfca759ccb.exe	17

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:484

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:3068

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\7e2548d691ad809f5cf7edcfca759ccb.exe
"C:\Users\Admin\AppData\Local\Temp\7e2548d691ad809f5cf7edcfca759ccb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:1448

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1040

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:600
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  2⤵
  PID:2568

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:492

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "1120755206-1944318878-1577740885-19087227111812152806480854789-1699611626-1867285347"
  2⤵
  PID:2812

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2452-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2452-1-0x0000000000030000-0x000000000003E000-memory.dmp

Filesize
56KB

Download
memory/2452-2-0x0000000000030000-0x000000000003E000-memory.dmp

Filesize
56KB

Download
memory/2452-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download