75d5194e30d11daf3b4d932cf3d3422ffd6f6fcf147b303dbffb207cf54b0ead

Analysis

max time kernel
126s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 08:53

Target

96c375564ea25ec8f447eba8dadaa711.exe
Size

293KB
MD5

96c375564ea25ec8f447eba8dadaa711
SHA1

3f8bfe14702500ac11b575d4aa71ebc68730306b
SHA256

75d5194e30d11daf3b4d932cf3d3422ffd6f6fcf147b303dbffb207cf54b0ead
SHA512

dd05837be4ac6e298a92cc05802fde671e2a0adf29f6ca689a32110d73b13ea12ef007cda1fb70a0ac922f1f28c3cf51f05697a45d307143750913e0e56e33a1
SSDEEP

6144:Gcxq9NKmH8g/SerToYqR1y9vHWEgzAly6Mm1QD6F09OqbOnTLln4d9+6ZauUTMX8:G59yg/XoYqRk4zUy6JQD6FMxbcLid3aF

Score

7^/10

aspackv2

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

resource	yara_rule
behavioral2/files/0x0007000000023213-3.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
3468	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	96c375564ea25ec8f447eba8dadaa711.exe
File opened for modification	C:\Windows\svchost.exe	96c375564ea25ec8f447eba8dadaa711.exe
File created	C:\Windows\uninstal.bat	96c375564ea25ec8f447eba8dadaa711.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	96c375564ea25ec8f447eba8dadaa711.exe
Token: SeDebugPrivilege	3468	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3468	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 2972	116	96c375564ea25ec8f447eba8dadaa711.exe	86
PID 116 wrote to memory of 2972	116	96c375564ea25ec8f447eba8dadaa711.exe	86
PID 116 wrote to memory of 2972	116	96c375564ea25ec8f447eba8dadaa711.exe	86
PID 3468 wrote to memory of 1996	3468	svchost.exe	85
PID 3468 wrote to memory of 1996	3468	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\96c375564ea25ec8f447eba8dadaa711.exe
"C:\Users\Admin\AppData\Local\Temp\96c375564ea25ec8f447eba8dadaa711.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:2972

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1996

C:\Windows\svchost.exe

Filesize
293KB

MD5
96c375564ea25ec8f447eba8dadaa711

SHA1
3f8bfe14702500ac11b575d4aa71ebc68730306b

SHA256
75d5194e30d11daf3b4d932cf3d3422ffd6f6fcf147b303dbffb207cf54b0ead

SHA512
dd05837be4ac6e298a92cc05802fde671e2a0adf29f6ca689a32110d73b13ea12ef007cda1fb70a0ac922f1f28c3cf51f05697a45d307143750913e0e56e33a1

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
74986d04e44a58399fd163712b2fdcd4

SHA1
f98dffbc5d1d9bf4ed18096bf013229023ba0bd0

SHA256
1a56d692535db84c9c26ccd28e1b35ba4961b5ce4cacbf1b1c1814b48024b014

SHA512
918aad040fc8c1576bf8b185b81d6c01964f77b445f2033fa9781309706b5d08ef5ab8ca2e79eeccc4bf664b3154af39d82d22feb7508858b5bd5dc3d22c3a73

Download Submit
memory/116-0-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/116-8-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3468-6-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/3468-10-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download