e1b1263319cf49f75bf91965d0a26dd14aa78099b3acc4a0481c1082455d15b4

Analysis

max time kernel
131s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dfc8c3e6f3bb0bf9769fd8b295f518a.exe
Size

152KB
MD5

7dfc8c3e6f3bb0bf9769fd8b295f518a
SHA1

b9bea0cd567d4643de1dc9346cfefa53153e4f56
SHA256

e1b1263319cf49f75bf91965d0a26dd14aa78099b3acc4a0481c1082455d15b4
SHA512

b16c265532bdbf52fb18cad7172ca0e544bc923d1689ccc171d67bc8db2c6244c96b23d064d3743951bbde36ac6249bd10c8db0c29511db97816931b2927343d
SSDEEP

3072:1g+jB7s2eCUaFPmgRMNlPTGQQm6ytwZEsrYkK4Yg:1rjBbeC98gWNlPTGQQm6agrd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3412	haZl0oh.exe
1916	haZl0oh.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\haZl0oh.exe	haZl0oh.exe
File opened for modification	C:\Windows\SysWOW64\haZl0oh.exe	haZl0oh.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3412	haZl0oh.exe
3412	haZl0oh.exe
3412	haZl0oh.exe
3412	haZl0oh.exe
3412	haZl0oh.exe
3412	haZl0oh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3412	haZl0oh.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 3412	2736	7dfc8c3e6f3bb0bf9769fd8b295f518a.exe	26
PID 2736 wrote to memory of 3412	2736	7dfc8c3e6f3bb0bf9769fd8b295f518a.exe	26
PID 2736 wrote to memory of 3412	2736	7dfc8c3e6f3bb0bf9769fd8b295f518a.exe	26
PID 3412 wrote to memory of 4292	3412	haZl0oh.exe	30
PID 3412 wrote to memory of 4292	3412	haZl0oh.exe	30
PID 3412 wrote to memory of 4292	3412	haZl0oh.exe	30

C:\Users\Admin\AppData\Local\Temp\7dfc8c3e6f3bb0bf9769fd8b295f518a.exe
"C:\Users\Admin\AppData\Local\Temp\7dfc8c3e6f3bb0bf9769fd8b295f518a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\haZl0oh.exe
  haZl0oh.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\haZl0oh.exe > nul
    3⤵
    PID:4292

C:\Windows\SysWOW64\haZl0oh.exe
C:\Windows\SysWOW64\haZl0oh.exe
1⤵
- Executes dropped EXE
PID:1916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\haZl0oh.exe

Filesize
18KB

MD5
0fb956b0b5796455b979144d1a3c55ac

SHA1
b3abbb5eb5401bb2be7c9a5584a43f62b8ca327f

SHA256
06e5edf3107e6c5542a7ae8cb71732387e52dd581904a13a2796bed9d19de186

SHA512
b15e41b2ae9ca769aefd6620f3b3e19617f444c2c10a211888f9ad1cdf572633c53c88698aefb18cdccbe8322428d59fa997eff31f09a1b1befc8b0c55288781

Download Submit
memory/2736-8-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2736-21-0x00000000021E0000-0x0000000002223000-memory.dmp

Filesize
268KB

Download
memory/2736-13-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/2736-12-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2736-11-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/2736-10-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2736-1-0x00000000021E0000-0x0000000002223000-memory.dmp

Filesize
268KB

Download
memory/2736-7-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2736-9-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2736-6-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2736-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-5-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2736-4-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2736-3-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download