eb713d072fb0667c26d01ec4e5ace6bb5338d4db964b3e76522a2ea315cd9d66

Analysis

max time kernel
122s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 03:47

Target

8b5085bcd2fc913a8ba1ec86f193cd0b.exe
Size

70KB
MD5

8b5085bcd2fc913a8ba1ec86f193cd0b
SHA1

c2f6a485ababc93ecd6e3fa91e8c0fcfda63317d
SHA256

eb713d072fb0667c26d01ec4e5ace6bb5338d4db964b3e76522a2ea315cd9d66
SHA512

e836fd116049455c18ba891724c409a7fcf12b5ee5a9ccd94b65bbcfd84a41a9cfb4dd2d3c4c8f0f99e83a0b34c208dda3a22f7413cb83ab7e75fa96f9c82f61
SSDEEP

1536:+Voxa8Vvn19gwVSULC7pWpp7g4qGlR35fzSxx3WBIpqHola:+VuV/12WLLC1Wp+4q45fzSfcWqHoM

Score

8^/10

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\klif.sys	8b5085bcd2fc913a8ba1ec86f193cd0b.exe

Loads dropped DLL 1 IoCs

pid	Process
2080	8b5085bcd2fc913a8ba1ec86f193cd0b.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xcvaver0.dll	8b5085bcd2fc913a8ba1ec86f193cd0b.exe
File opened for modification	C:\Windows\SysWOW64\xcvaver0.dll	8b5085bcd2fc913a8ba1ec86f193cd0b.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3D16072-B843-2E1B-450B-50EADDC8EB63}\VcmnExeModuleName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8b5085bcd2fc913a8ba1ec86f193cd0b.exe"	8b5085bcd2fc913a8ba1ec86f193cd0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3D16072-B843-2E1B-450B-50EADDC8EB63}\VcmnDllModuleName = "C:\\Windows\\SysWow64\\xcvaver0.dll"	8b5085bcd2fc913a8ba1ec86f193cd0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3D16072-B843-2E1B-450B-50EADDC8EB63}\VcmnSobjEventName = "BNMJJHYUIOPTREMN_0"	8b5085bcd2fc913a8ba1ec86f193cd0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3D16072-B843-2E1B-450B-50EADDC8EB63}	8b5085bcd2fc913a8ba1ec86f193cd0b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2080	8b5085bcd2fc913a8ba1ec86f193cd0b.exe
2080	8b5085bcd2fc913a8ba1ec86f193cd0b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	8b5085bcd2fc913a8ba1ec86f193cd0b.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1204	2080	8b5085bcd2fc913a8ba1ec86f193cd0b.exe	10

\Windows\SysWOW64\xcvaver0.dll

Filesize
192KB

MD5
4a8f5f9c5116fecae04ec398bd3115ef

SHA1
ea01ee51fc72e21a8f19a90cc6dfc8a5875ef513

SHA256
4e894da46d9719b6b3651378fd2cdd90c1738fe56da954e85b0d653266720007

SHA512
c4f9d28b068408693b480003e458a637d3d852f5d7c22de72335ddef95a8bbef5b733206821254ea78b59dee660c6cbec3ae679e01bb2d6e8a6a4c19e8cabe7e

Download Submit
memory/1204-7-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2080-4-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2080-8-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download