3b938923d8848cd0a5214af4de490023fa15804ab6b4a43a9f1349d4091fb91e

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 15:25

Target

8cae2dad61468a6f06532c0b3c31dc2f.exe
Size

41KB
MD5

8cae2dad61468a6f06532c0b3c31dc2f
SHA1

9853e991c624e28d895b1987e6f55d6f84b28111
SHA256

3b938923d8848cd0a5214af4de490023fa15804ab6b4a43a9f1349d4091fb91e
SHA512

4355a245daa5bd55ab12975bf601d5326db8704fee2b66c31e30c910316b64fc1cd00def8547610b541b6aecc9850f67170d6ada245755c382e69286c6fae535
SSDEEP

768:kpMgLdU/NZk+prtZdGeFh9IbJyEkL3m7geHf+5qx8MT0ez8MOp4+0AaQyFZ:0MgLUNZk+zxhOQY7geSc8sl4MU4+Hu

Score

8^/10

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	8cae2dad61468a6f06532c0b3c31dc2f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	ctfmons.exe

Deletes itself 1 IoCs

pid	Process
2732	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	ctfmons.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	8cae2dad61468a6f06532c0b3c31dc2f.exe
2092	8cae2dad61468a6f06532c0b3c31dc2f.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmons.exe	8cae2dad61468a6f06532c0b3c31dc2f.exe
File opened for modification	C:\Windows\SysWOW64\ctfmons.exe	8cae2dad61468a6f06532c0b3c31dc2f.exe
File created	C:\Windows\SysWOW64\ctfmons.exe	ctfmons.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2092	8cae2dad61468a6f06532c0b3c31dc2f.exe
2448	ctfmons.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2092	8cae2dad61468a6f06532c0b3c31dc2f.exe
Token: SeIncBasePriorityPrivilege	2448	ctfmons.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2448	2092	8cae2dad61468a6f06532c0b3c31dc2f.exe	28
PID 2092 wrote to memory of 2448	2092	8cae2dad61468a6f06532c0b3c31dc2f.exe	28
PID 2092 wrote to memory of 2448	2092	8cae2dad61468a6f06532c0b3c31dc2f.exe	28
PID 2092 wrote to memory of 2448	2092	8cae2dad61468a6f06532c0b3c31dc2f.exe	28
PID 2092 wrote to memory of 2732	2092	8cae2dad61468a6f06532c0b3c31dc2f.exe	29
PID 2092 wrote to memory of 2732	2092	8cae2dad61468a6f06532c0b3c31dc2f.exe	29
PID 2092 wrote to memory of 2732	2092	8cae2dad61468a6f06532c0b3c31dc2f.exe	29
PID 2092 wrote to memory of 2732	2092	8cae2dad61468a6f06532c0b3c31dc2f.exe	29
PID 2448 wrote to memory of 2680	2448	ctfmons.exe	30
PID 2448 wrote to memory of 2680	2448	ctfmons.exe	30
PID 2448 wrote to memory of 2680	2448	ctfmons.exe	30
PID 2448 wrote to memory of 2680	2448	ctfmons.exe	30

C:\Users\Admin\AppData\Local\Temp\8cae2dad61468a6f06532c0b3c31dc2f.exe
"C:\Users\Admin\AppData\Local\Temp\8cae2dad61468a6f06532c0b3c31dc2f.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\ctfmons.exe
  "C:\Windows\system32\ctfmons.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dEl C:\Windows\SysWOW64\ctfmons.exe > nul
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c dEl C:\Users\Admin\AppData\Local\Temp\8CAE2D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2732

C:\Windows\SysWOW64\drivers\beep.sys

Filesize
4KB

MD5
3d00f7839900257e673e9a1735f7b401

SHA1
286a7c3e74951e1b0cee224a49518d923d5999a6

SHA256
5b64c0ff485ce9ca1710e1fc935a41f70b1d758bb2a51ab7caeddc5a770ef850

SHA512
c44a859e5d85d3473376639d80588902e3354ed416be34fd2f868202012cdbe76ce061acafc48b0eac279c3d0933a24f9d9b6fdaf0f1d569af7551999726ee5b

Download Submit
\Windows\SysWOW64\ctfmons.exe

Filesize
41KB

MD5
8cae2dad61468a6f06532c0b3c31dc2f

SHA1
9853e991c624e28d895b1987e6f55d6f84b28111

SHA256
3b938923d8848cd0a5214af4de490023fa15804ab6b4a43a9f1349d4091fb91e

SHA512
4355a245daa5bd55ab12975bf601d5326db8704fee2b66c31e30c910316b64fc1cd00def8547610b541b6aecc9850f67170d6ada245755c382e69286c6fae535

Download Submit