2c33d07c49cc9cffc472d27f20738a083aa22c2da47f1ef4975472466e3c3db0

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 09:53

Target

ae38314c5edc4938cebfb7217bbe432d.exe
Size

744KB
MD5

ae38314c5edc4938cebfb7217bbe432d
SHA1

e854446b5b1fb2edb22a1c9e1825d4202b9d32e2
SHA256

2c33d07c49cc9cffc472d27f20738a083aa22c2da47f1ef4975472466e3c3db0
SHA512

381920a7386a11afba6dded82989810ee7eeef796e82bf690bbb8839c0694021337d9346d913a20fc81944de8a4be742216713754d21f068b660b51491fc9076
SSDEEP

12288:538JhrDQZNU8LAYod/VKYPc6UyGHefNo48UWeY7keoov6Z3k038iTs0hlO:UhrDSU8yKAUy4ONJqxlK0038306

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2096	smss.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\smss.exe	ae38314c5edc4938cebfb7217bbe432d.exe
File created	C:\Windows\61642520.BAT	ae38314c5edc4938cebfb7217bbe432d.exe
File created	C:\Windows\system\smss.exe	ae38314c5edc4938cebfb7217bbe432d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	ae38314c5edc4938cebfb7217bbe432d.exe
Token: SeDebugPrivilege	2096	smss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2096	smss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2500	2096	smss.exe	29
PID 2096 wrote to memory of 2500	2096	smss.exe	29
PID 2096 wrote to memory of 2500	2096	smss.exe	29
PID 2096 wrote to memory of 2500	2096	smss.exe	29
PID 2008 wrote to memory of 2564	2008	ae38314c5edc4938cebfb7217bbe432d.exe	30
PID 2008 wrote to memory of 2564	2008	ae38314c5edc4938cebfb7217bbe432d.exe	30
PID 2008 wrote to memory of 2564	2008	ae38314c5edc4938cebfb7217bbe432d.exe	30
PID 2008 wrote to memory of 2564	2008	ae38314c5edc4938cebfb7217bbe432d.exe	30

C:\Users\Admin\AppData\Local\Temp\ae38314c5edc4938cebfb7217bbe432d.exe
"C:\Users\Admin\AppData\Local\Temp\ae38314c5edc4938cebfb7217bbe432d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\61642520.BAT
  2⤵
  - Deletes itself
  PID:2564

C:\Windows\system\smss.exe
C:\Windows\system\smss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2500

C:\Windows\61642520.BAT

Filesize
190B

MD5
cd695e4935721d3fba87a30f5e490444

SHA1
00a8687cc7b82a58097fe9567d37f148f32f3148

SHA256
176ba3469be719ef6f923194d4ae330fcd583139dbe94f5595bf12daccf032d0

SHA512
2fa0eeee4d5b4d9fc208f550ea6bdc0723e739fcccc247e2a9620203adfb1df07c505b164a68ab84729bf50a706a9bf980c46d8f811a792e492479e745de55bb

Download Submit
C:\Windows\system\smss.exe

Filesize
744KB

MD5
ae38314c5edc4938cebfb7217bbe432d

SHA1
e854446b5b1fb2edb22a1c9e1825d4202b9d32e2

SHA256
2c33d07c49cc9cffc472d27f20738a083aa22c2da47f1ef4975472466e3c3db0

SHA512
381920a7386a11afba6dded82989810ee7eeef796e82bf690bbb8839c0694021337d9346d913a20fc81944de8a4be742216713754d21f068b660b51491fc9076

Download Submit
memory/2008-0-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2008-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2008-15-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2096-5-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2096-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2096-17-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2096-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download