aadb31d7bd157b482c0a24116b08f83f2f9495be8c9dacbedeeb91804462ce55

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 13:14

Target

9982bc0277110ed35b4fff016cc3cc67.exe
Size

764KB
MD5

9982bc0277110ed35b4fff016cc3cc67
SHA1

9219cae7122368786aabdfc34587d61dc5a66eea
SHA256

aadb31d7bd157b482c0a24116b08f83f2f9495be8c9dacbedeeb91804462ce55
SHA512

51b971fb626e18d268894478468f3b6139a20880ff9200c45c8b3a1fd77358702d3cab7eec971d26ea4bca5ebc634528dddb894214ee9a462371a5f209ce8954
SSDEEP

12288:N6lg9NDK9jbrW5AwGwHDx1fKIWnxvVtO2tjvP5cU7MoShS/JXKCqLR:c+9Y9/rW5AjixF+xvjO2tRWinq

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2912	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	G_Server2.03.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\G_Server2.03.exe	9982bc0277110ed35b4fff016cc3cc67.exe
File opened for modification	C:\Windows\G_Server2.03.exe	9982bc0277110ed35b4fff016cc3cc67.exe
File created	C:\Windows\DELME.BAT	9982bc0277110ed35b4fff016cc3cc67.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	9982bc0277110ed35b4fff016cc3cc67.exe
Token: SeDebugPrivilege	2848	G_Server2.03.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2848	G_Server2.03.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2744	2848	G_Server2.03.exe	29
PID 2848 wrote to memory of 2744	2848	G_Server2.03.exe	29
PID 2848 wrote to memory of 2744	2848	G_Server2.03.exe	29
PID 2848 wrote to memory of 2744	2848	G_Server2.03.exe	29
PID 2232 wrote to memory of 2912	2232	9982bc0277110ed35b4fff016cc3cc67.exe	30
PID 2232 wrote to memory of 2912	2232	9982bc0277110ed35b4fff016cc3cc67.exe	30
PID 2232 wrote to memory of 2912	2232	9982bc0277110ed35b4fff016cc3cc67.exe	30
PID 2232 wrote to memory of 2912	2232	9982bc0277110ed35b4fff016cc3cc67.exe	30

C:\Users\Admin\AppData\Local\Temp\9982bc0277110ed35b4fff016cc3cc67.exe
"C:\Users\Admin\AppData\Local\Temp\9982bc0277110ed35b4fff016cc3cc67.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\DELME.BAT
  2⤵
  - Deletes itself
  PID:2912

C:\Windows\G_Server2.03.exe
C:\Windows\G_Server2.03.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Program Files\Internet ExplorER\IEXPLORE.EXE
  "C:\Program Files\Internet ExplorER\IEXPLORE.EXE"
  2⤵
  PID:2744

C:\Windows\DELME.BAT

Filesize
190B

MD5
3253caf75d9dd8a802a0a202d45ed207

SHA1
d3ec907bed1662434ea7b76f9eb19cbb881f53ed

SHA256
d50bc85cfda01e5227bae42414b1cee7c4077348651662c45d835a77f2bdc370

SHA512
c58a68b935b7e35b38c61ffe66c169a36c29a7c33336b2ead17cc01ef637f88bab70ec02ba23abcc66e9c55135dd01d325319a3554bbe95758da5ab068ce75e1

Download Submit
C:\Windows\G_Server2.03.exe

Filesize
764KB

MD5
9982bc0277110ed35b4fff016cc3cc67

SHA1
9219cae7122368786aabdfc34587d61dc5a66eea

SHA256
aadb31d7bd157b482c0a24116b08f83f2f9495be8c9dacbedeeb91804462ce55

SHA512
51b971fb626e18d268894478468f3b6139a20880ff9200c45c8b3a1fd77358702d3cab7eec971d26ea4bca5ebc634528dddb894214ee9a462371a5f209ce8954

Download Submit
memory/2232-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2232-13-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2848-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2848-15-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2848-17-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download