390d0b4912447f31746029450efde4de5f18be0fdd830f63622411db01b9e085

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 22:20

Target

97c15c4c9bff9f46a4c6d3bd5a6d0242.exe
Size

100KB
MD5

97c15c4c9bff9f46a4c6d3bd5a6d0242
SHA1

c8f59285c84c0ec77868bf33a815061c9ec59c7d
SHA256

390d0b4912447f31746029450efde4de5f18be0fdd830f63622411db01b9e085
SHA512

f2f5f91162518f865ddf305f94661170c11d10b4b50744831cd2af2e63a12090ea873e3886d53437e7e42fb74e48d8cdc34de4824025e7a3e9e9c95d16b8253d
SSDEEP

768:bqooHwDxdsx+MQyB+zB3plNuZkvJQakbmOqoY/8hotJ9QgW1eQG+LjSaXq:53Dxdsx7BcVpWSvJQFtotzQgByH2

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2140	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
3032	97c15c4c9bff9f46a4c6d3bd5a6d0242.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qdshm.dll	97c15c4c9bff9f46a4c6d3bd5a6d0242.exe
File opened for modification	C:\Windows\SysWOW64\addrzthelp.cfg	97c15c4c9bff9f46a4c6d3bd5a6d0242.exe
File opened for modification	C:\Windows\SysWOW64\addrzthelp.dll	97c15c4c9bff9f46a4c6d3bd5a6d0242.exe
File created	C:\Windows\SysWOW64\addrzthelp.dll	97c15c4c9bff9f46a4c6d3bd5a6d0242.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3032	97c15c4c9bff9f46a4c6d3bd5a6d0242.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
3032	97c15c4c9bff9f46a4c6d3bd5a6d0242.exe
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3032	97c15c4c9bff9f46a4c6d3bd5a6d0242.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2140	3032	97c15c4c9bff9f46a4c6d3bd5a6d0242.exe	28
PID 3032 wrote to memory of 2140	3032	97c15c4c9bff9f46a4c6d3bd5a6d0242.exe	28
PID 3032 wrote to memory of 2140	3032	97c15c4c9bff9f46a4c6d3bd5a6d0242.exe	28
PID 3032 wrote to memory of 2140	3032	97c15c4c9bff9f46a4c6d3bd5a6d0242.exe	28

C:\Users\Admin\AppData\Local\Temp\97c15c4c9bff9f46a4c6d3bd5a6d0242.exe
"C:\Users\Admin\AppData\Local\Temp\97c15c4c9bff9f46a4c6d3bd5a6d0242.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\97c15c4c9bff9f46a4c6d3bd5a6d0242.exe"
  2⤵
  - Deletes itself
  PID:2140

\Windows\SysWOW64\qdshm.dll

Filesize
9KB

MD5
f5a2c82b8c3ab3890fe1373225645679

SHA1
c54560d854c25b38ba8e2eb59b1050fc0120d57b

SHA256
24bdd4d46da2f0cc427677c026f47436eeb613e65aa0f43eded7bb814616485b

SHA512
3023d46453232211881ec377604d6a7d5936d5687dd61d16986aa9b308246b20a4371aebd02e40746de9994da79635bdffe4af020e69f93c904d963712481470

Download Submit