3b938923d8848cd0a5214af4de490023fa15804ab6b4a43a9f1349d4091fb91e

Analysis

max time kernel
93s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 15:25

Target

8cae2dad61468a6f06532c0b3c31dc2f.exe
Size

41KB
MD5

8cae2dad61468a6f06532c0b3c31dc2f
SHA1

9853e991c624e28d895b1987e6f55d6f84b28111
SHA256

3b938923d8848cd0a5214af4de490023fa15804ab6b4a43a9f1349d4091fb91e
SHA512

4355a245daa5bd55ab12975bf601d5326db8704fee2b66c31e30c910316b64fc1cd00def8547610b541b6aecc9850f67170d6ada245755c382e69286c6fae535
SSDEEP

768:kpMgLdU/NZk+prtZdGeFh9IbJyEkL3m7geHf+5qx8MT0ez8MOp4+0AaQyFZ:0MgLUNZk+zxhOQY7geSc8sl4MU4+Hu

Score

8^/10

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	8cae2dad61468a6f06532c0b3c31dc2f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	ctfmons.exe

Executes dropped EXE 1 IoCs

pid	Process
3692	ctfmons.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmons.exe	8cae2dad61468a6f06532c0b3c31dc2f.exe
File opened for modification	C:\Windows\SysWOW64\ctfmons.exe	8cae2dad61468a6f06532c0b3c31dc2f.exe
File created	C:\Windows\SysWOW64\ctfmons.exe	ctfmons.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	60	8cae2dad61468a6f06532c0b3c31dc2f.exe
Token: SeIncBasePriorityPrivilege	3692	ctfmons.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 3692	60	8cae2dad61468a6f06532c0b3c31dc2f.exe	84
PID 60 wrote to memory of 3692	60	8cae2dad61468a6f06532c0b3c31dc2f.exe	84
PID 60 wrote to memory of 3692	60	8cae2dad61468a6f06532c0b3c31dc2f.exe	84
PID 60 wrote to memory of 5088	60	8cae2dad61468a6f06532c0b3c31dc2f.exe	85
PID 60 wrote to memory of 5088	60	8cae2dad61468a6f06532c0b3c31dc2f.exe	85
PID 60 wrote to memory of 5088	60	8cae2dad61468a6f06532c0b3c31dc2f.exe	85
PID 3692 wrote to memory of 2584	3692	ctfmons.exe	86
PID 3692 wrote to memory of 2584	3692	ctfmons.exe	86
PID 3692 wrote to memory of 2584	3692	ctfmons.exe	86

C:\Users\Admin\AppData\Local\Temp\8cae2dad61468a6f06532c0b3c31dc2f.exe
"C:\Users\Admin\AppData\Local\Temp\8cae2dad61468a6f06532c0b3c31dc2f.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\SysWOW64\ctfmons.exe
  "C:\Windows\system32\ctfmons.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dEl C:\Windows\SysWOW64\ctfmons.exe > nul
    3⤵
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c dEl C:\Users\Admin\AppData\Local\Temp\8CAE2D~1.EXE > nul
  2⤵
  PID:5088

C:\Windows\SysWOW64\ctfmons.exe

Filesize
41KB

MD5
8cae2dad61468a6f06532c0b3c31dc2f

SHA1
9853e991c624e28d895b1987e6f55d6f84b28111

SHA256
3b938923d8848cd0a5214af4de490023fa15804ab6b4a43a9f1349d4091fb91e

SHA512
4355a245daa5bd55ab12975bf601d5326db8704fee2b66c31e30c910316b64fc1cd00def8547610b541b6aecc9850f67170d6ada245755c382e69286c6fae535

Download Submit
C:\Windows\SysWOW64\drivers\beep.sys

Filesize
4KB

MD5
3d00f7839900257e673e9a1735f7b401

SHA1
286a7c3e74951e1b0cee224a49518d923d5999a6

SHA256
5b64c0ff485ce9ca1710e1fc935a41f70b1d758bb2a51ab7caeddc5a770ef850

SHA512
c44a859e5d85d3473376639d80588902e3354ed416be34fd2f868202012cdbe76ce061acafc48b0eac279c3d0933a24f9d9b6fdaf0f1d569af7551999726ee5b

Download Submit