1968019f141ec80b6dfd9c3311eda6593567da8fc8c443963f116538d4fc2e7c

Analysis

max time kernel
131s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 03:50

Target

7c11ae757aa7790ce8cca4db2e00bdbb.exe
Size

32KB
MD5

7c11ae757aa7790ce8cca4db2e00bdbb
SHA1

bbc29ddc2ac29f2b5642ee12e592bba6280e7669
SHA256

1968019f141ec80b6dfd9c3311eda6593567da8fc8c443963f116538d4fc2e7c
SHA512

ea63dc7d93fc8bef70bb7e9c438e4b940584668da8aea62e00737595bff43cdd9f5d6124fb8d4b81fcb05dc0559262c6afa7f989369bbe7e4597d124f8cb38d0
SSDEEP

768:daQA/RU+lTy0SIaThVsFTV89WMJqJpHlr3MrUp:gpHTyEaVVsFTV89GJVlroY

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
3024	7c11ae757aa7790ce8cca4db2e00bdbb.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tuvVPihF.dll	7c11ae757aa7790ce8cca4db2e00bdbb.exe
File created	C:\Windows\SysWOW64\tuvVPihF.dll	7c11ae757aa7790ce8cca4db2e00bdbb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3024	7c11ae757aa7790ce8cca4db2e00bdbb.exe
3024	7c11ae757aa7790ce8cca4db2e00bdbb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	7c11ae757aa7790ce8cca4db2e00bdbb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3024	7c11ae757aa7790ce8cca4db2e00bdbb.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 616	3024	7c11ae757aa7790ce8cca4db2e00bdbb.exe	4
PID 3024 wrote to memory of 888	3024	7c11ae757aa7790ce8cca4db2e00bdbb.exe	97
PID 3024 wrote to memory of 888	3024	7c11ae757aa7790ce8cca4db2e00bdbb.exe	97
PID 3024 wrote to memory of 888	3024	7c11ae757aa7790ce8cca4db2e00bdbb.exe	97
PID 3024 wrote to memory of 1152	3024	7c11ae757aa7790ce8cca4db2e00bdbb.exe	99
PID 3024 wrote to memory of 1152	3024	7c11ae757aa7790ce8cca4db2e00bdbb.exe	99
PID 3024 wrote to memory of 1152	3024	7c11ae757aa7790ce8cca4db2e00bdbb.exe	99

C:\Users\Admin\AppData\Local\Temp\7c11ae757aa7790ce8cca4db2e00bdbb.exe
"C:\Users\Admin\AppData\Local\Temp\7c11ae757aa7790ce8cca4db2e00bdbb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe ,a
  2⤵
  PID:888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Users\Admin\AppData\Local\Temp\7c11ae757aa7790ce8cca4db2e00bdbb.exe"
  2⤵
  PID:1152

C:\Users\Admin\AppData\Local\Temp\removalfile.bat

Filesize
43B

MD5
9a7ef09167a6f4433681b94351509043

SHA1
259b1375ed8e84943ca1d42646bb416325c89e12

SHA256
d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7

SHA512
96b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df

Download Submit
C:\Windows\SysWOW64\tuvVPihF.dll

Filesize
23KB

MD5
67d61e63eb9c8ed7ae2a71224f248bf6

SHA1
fb7443d17a5bac481f14d080e2ca678cf3dfe7fe

SHA256
50d2a70f21c3c40283a694ac2d379834fa7c70fa530efb4ecbc181b2d041633d

SHA512
c85c89c1797ed6e2d65e02337df36bb8e235499bf86e029c2aa2ff2282cd95c71ea0fd10a89acfca7916f83ce23222a096ea097f76b0426bedae77883ecc764c

Download Submit
memory/3024-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3024-1-0x00000000004F0000-0x00000000004F7000-memory.dmp

Filesize
28KB

Download
memory/3024-7-0x00000000004B0000-0x00000000004B5000-memory.dmp

Filesize
20KB

Download
memory/3024-8-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/3024-9-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/3024-10-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/3024-13-0x00000000004F0000-0x00000000004F7000-memory.dmp

Filesize
28KB

Download
memory/3024-14-0x00000000004B0000-0x00000000004B5000-memory.dmp

Filesize
20KB

Download