00a8a8cf766ce7534d2a94bd8e8863dfd5b87e930bac3d3171ae58be6846a2a4

Analysis

max time kernel
146s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 14:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

order nº 23.exe
Size

16KB
MD5

34475a9c0884a24fda37eb6adcbac6fc
SHA1

fc46fb5375292ec94757f5203b405c4452cc956b
SHA256

00a8a8cf766ce7534d2a94bd8e8863dfd5b87e930bac3d3171ae58be6846a2a4
SHA512

993bcd9e66b1604c8d9d554384a6551f54e653488087d2aca6fcc41ba6ae55a55db73ebae26a69e012dbf9b28432788ff783548a2d77f3611afe0bbce89c9911
SSDEEP

384:YQQJHp1MKIXLlDNYOknqJsNkGoGCJEF8ZpHlj:YQQrRIX1InqjEFiR5

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1652 set thread context of 2700	1652	order nº 23.exe	28
PID 2700 set thread context of 1312	2700	calc.exe	14
PID 2700 set thread context of 2468	2700	calc.exe	29
PID 2468 set thread context of 1312	2468	reg.exe	14

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2700	calc.exe
2700	calc.exe
2700	calc.exe
2700	calc.exe
2700	calc.exe
2700	calc.exe
2700	calc.exe
2700	calc.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe
2468	reg.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2700	calc.exe
1312	Explorer.EXE
1312	Explorer.EXE
2468	reg.exe
2468	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	order nº 23.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2700	1652	order nº 23.exe	28
PID 1652 wrote to memory of 2700	1652	order nº 23.exe	28
PID 1652 wrote to memory of 2700	1652	order nº 23.exe	28
PID 1652 wrote to memory of 2700	1652	order nº 23.exe	28
PID 1652 wrote to memory of 2700	1652	order nº 23.exe	28
PID 1652 wrote to memory of 2700	1652	order nº 23.exe	28
PID 1652 wrote to memory of 2700	1652	order nº 23.exe	28
PID 1312 wrote to memory of 2468	1312	Explorer.EXE	29
PID 1312 wrote to memory of 2468	1312	Explorer.EXE	29
PID 1312 wrote to memory of 2468	1312	Explorer.EXE	29
PID 1312 wrote to memory of 2468	1312	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\order nº 23.exe
  "C:\Users\Admin\AppData\Local\Temp\order nº 23.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SYSWOW64\calc.exe
    "C:\Windows\SYSWOW64\calc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2700
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\SysWOW64\reg.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1312-26-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/1312-36-0x0000000009110000-0x000000000C3FD000-memory.dmp

Filesize
50.9MB

Download
memory/1312-28-0x0000000009110000-0x000000000C3FD000-memory.dmp

Filesize
50.9MB

Download
memory/1652-2-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1652-1-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/1652-3-0x0000000000E30000-0x0000000000E70000-memory.dmp

Filesize
256KB

Download
memory/1652-18-0x0000000004A10000-0x0000000004AB6000-memory.dmp

Filesize
664KB

Download
memory/1652-20-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1652-0-0x00000000013D0000-0x00000000013D8000-memory.dmp

Filesize
32KB

Download
memory/2468-33-0x0000000002030000-0x0000000002333000-memory.dmp

Filesize
3.0MB

Download
memory/2468-29-0x0000000000140000-0x000000000017C000-memory.dmp

Filesize
240KB

Download
memory/2468-37-0x0000000000140000-0x000000000017C000-memory.dmp

Filesize
240KB

Download
memory/2468-35-0x0000000001D70000-0x0000000001E0D000-memory.dmp

Filesize
628KB

Download
memory/2468-34-0x0000000000140000-0x000000000017C000-memory.dmp

Filesize
240KB

Download
memory/2468-30-0x0000000000140000-0x000000000017C000-memory.dmp

Filesize
240KB

Download
memory/2700-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-22-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/2700-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-32-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/2700-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-27-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/2700-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-25-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download