0e1b1cef75526a139b12ec18f2bb9f77bdab2d78e3aadb3ddc4e1e582fd5f786

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

989609cd4ed516ea389fa3b9954e6d9f.exe
Size

20KB
MD5

989609cd4ed516ea389fa3b9954e6d9f
SHA1

8882048fa9b0ff0ff8f683b29debb14ca5e51fc8
SHA256

0e1b1cef75526a139b12ec18f2bb9f77bdab2d78e3aadb3ddc4e1e582fd5f786
SHA512

be827b04b5b9dca309f6683a98ad62b3012ac508819fe79818a678a3a4b50d1eec4d2e8e44101ce7c07364a7de7f5cbd71d63dc389e97a0ec245117f54126769
SSDEEP

384:4a23g2GJ/PwW1AqEVvqIAT/emE74y12hyuZSb09xtZKGpUXiGj6qdZMQET:ygLJ/VeqHE74y1+SA9JKGtYd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2392	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2372	usrinit.exe

Loads dropped DLL 3 IoCs

pid	Process
1948	989609cd4ed516ea389fa3b9954e6d9f.exe
1948	989609cd4ed516ea389fa3b9954e6d9f.exe
2372	usrinit.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winsvc.dll	989609cd4ed516ea389fa3b9954e6d9f.exe
File created	C:\Windows\SysWOW64\usrinit.exe	989609cd4ed516ea389fa3b9954e6d9f.exe
File opened for modification	C:\Windows\SysWOW64\winsvc.dll	989609cd4ed516ea389fa3b9954e6d9f.exe
File opened for modification	C:\Windows\SysWOW64\usrinit.exe	989609cd4ed516ea389fa3b9954e6d9f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	989609cd4ed516ea389fa3b9954e6d9f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1948	989609cd4ed516ea389fa3b9954e6d9f.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1948	989609cd4ed516ea389fa3b9954e6d9f.exe
1948	989609cd4ed516ea389fa3b9954e6d9f.exe
2372	usrinit.exe
2372	usrinit.exe
2372	usrinit.exe
2372	usrinit.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2372	1948	989609cd4ed516ea389fa3b9954e6d9f.exe	15
PID 1948 wrote to memory of 2372	1948	989609cd4ed516ea389fa3b9954e6d9f.exe	15
PID 1948 wrote to memory of 2372	1948	989609cd4ed516ea389fa3b9954e6d9f.exe	15
PID 1948 wrote to memory of 2372	1948	989609cd4ed516ea389fa3b9954e6d9f.exe	15
PID 1948 wrote to memory of 2392	1948	989609cd4ed516ea389fa3b9954e6d9f.exe	14
PID 1948 wrote to memory of 2392	1948	989609cd4ed516ea389fa3b9954e6d9f.exe	14
PID 1948 wrote to memory of 2392	1948	989609cd4ed516ea389fa3b9954e6d9f.exe	14
PID 1948 wrote to memory of 2392	1948	989609cd4ed516ea389fa3b9954e6d9f.exe	14

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\989609~1.EXE > nul
1⤵
- Deletes itself
PID:2392

C:\Windows\SysWOW64\usrinit.exe
"C:\Windows\system32\usrinit.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Users\Admin\AppData\Local\Temp\989609cd4ed516ea389fa3b9954e6d9f.exe
"C:\Users\Admin\AppData\Local\Temp\989609cd4ed516ea389fa3b9954e6d9f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\usrinit.exe

Filesize
8KB

MD5
a4764222b83132703a0a16c48bc9d95b

SHA1
5ee283f2ce209b25d3ca30fe3c4d75987ac4cc71

SHA256
7127dd64a3147b9737c151b65cda40b9ec119e2e11d0064c261e003e9a884d34

SHA512
89ea5d0d6f212dc48426e94754ec81a51d7ebf97cdc8f0817967808c3774e3ec3a63d18803997bdf57e9a027b217cf8c1c614b6b3e2db2f5005d3a522151a401

Download Submit
\Windows\SysWOW64\winsvc.dll

Filesize
12KB

MD5
577ab6dc3f0e32f8fa9caa790ec132ea

SHA1
cca7dbc23293cccd5b82d82d1d8df7b9cb926678

SHA256
7962b92d0e0e2675708865d60ba5a923c9fda06e162589a1e85bc9939eb83e02

SHA512
2e7ceea2e09c3ec3e41c21f1cd86faa920e11c961be483c61b4ae3fefa83b181ef9a51d305853078db49846488e5d1e3d11e765944b030cfbaaca40afb2a103d

Download Submit
memory/1948-14-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/1948-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1948-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1948-15-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/1948-21-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2372-17-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2372-19-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2372-20-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2372-22-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download