3bd5e935b3a87f5a0b0f9e109b679c18a3735f3b9cbc6bd04bc542c4825614b8

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7610b29b6fc96eddab572de747c98c8.exe
Size

60KB
MD5

b7610b29b6fc96eddab572de747c98c8
SHA1

327aca62c2d66dfe51f0c74005ae3dc7d4d8daf9
SHA256

3bd5e935b3a87f5a0b0f9e109b679c18a3735f3b9cbc6bd04bc542c4825614b8
SHA512

8ad806c24a411ed7783c73250b20aef73843eea765822f35ff1f5692e36dff9351b157cf38474bf83ebfe0391deb9e393d9adf5b78c4dff3744b67d05fbf8d1c
SSDEEP

1536:uNRQcTTxRNwicE6GT0aXHTDA9Rb8CzWj1o4z:YQcVwgT0a3AXbvWj1o4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
208	sript.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sript.exe	b7610b29b6fc96eddab572de747c98c8.exe
File opened for modification	C:\Windows\SysWOW64\sript.exe	b7610b29b6fc96eddab572de747c98c8.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
2340	taskkill.exe
1436	taskkill.exe
1688	taskkill.exe
2416	taskkill.exe
992	taskkill.exe
1660	taskkill.exe
2552	taskkill.exe
716	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1208	b7610b29b6fc96eddab572de747c98c8.exe
1208	b7610b29b6fc96eddab572de747c98c8.exe
1208	b7610b29b6fc96eddab572de747c98c8.exe
1208	b7610b29b6fc96eddab572de747c98c8.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe
208	sript.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1208	b7610b29b6fc96eddab572de747c98c8.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	716	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 3992	1208	b7610b29b6fc96eddab572de747c98c8.exe	90
PID 1208 wrote to memory of 3992	1208	b7610b29b6fc96eddab572de747c98c8.exe	90
PID 1208 wrote to memory of 3992	1208	b7610b29b6fc96eddab572de747c98c8.exe	90
PID 1208 wrote to memory of 3684	1208	b7610b29b6fc96eddab572de747c98c8.exe	91
PID 1208 wrote to memory of 3684	1208	b7610b29b6fc96eddab572de747c98c8.exe	91
PID 1208 wrote to memory of 3684	1208	b7610b29b6fc96eddab572de747c98c8.exe	91
PID 1208 wrote to memory of 4464	1208	b7610b29b6fc96eddab572de747c98c8.exe	92
PID 1208 wrote to memory of 4464	1208	b7610b29b6fc96eddab572de747c98c8.exe	92
PID 1208 wrote to memory of 4464	1208	b7610b29b6fc96eddab572de747c98c8.exe	92
PID 1208 wrote to memory of 1904	1208	b7610b29b6fc96eddab572de747c98c8.exe	93
PID 1208 wrote to memory of 1904	1208	b7610b29b6fc96eddab572de747c98c8.exe	93
PID 1208 wrote to memory of 1904	1208	b7610b29b6fc96eddab572de747c98c8.exe	93
PID 208 wrote to memory of 4456	208	sript.exe	99
PID 208 wrote to memory of 4456	208	sript.exe	99
PID 208 wrote to memory of 4456	208	sript.exe	99
PID 208 wrote to memory of 3844	208	sript.exe	100
PID 208 wrote to memory of 3844	208	sript.exe	100
PID 208 wrote to memory of 3844	208	sript.exe	100
PID 208 wrote to memory of 1568	208	sript.exe	101
PID 208 wrote to memory of 1568	208	sript.exe	101
PID 208 wrote to memory of 1568	208	sript.exe	101
PID 208 wrote to memory of 2228	208	sript.exe	102
PID 208 wrote to memory of 2228	208	sript.exe	102
PID 208 wrote to memory of 2228	208	sript.exe	102
PID 1208 wrote to memory of 2020	1208	b7610b29b6fc96eddab572de747c98c8.exe	105
PID 1208 wrote to memory of 2020	1208	b7610b29b6fc96eddab572de747c98c8.exe	105
PID 1208 wrote to memory of 2020	1208	b7610b29b6fc96eddab572de747c98c8.exe	105
PID 3684 wrote to memory of 716	3684	cmd.exe	108
PID 3684 wrote to memory of 716	3684	cmd.exe	108
PID 3684 wrote to memory of 716	3684	cmd.exe	108
PID 4456 wrote to memory of 2340	4456	cmd.exe	109
PID 4456 wrote to memory of 2340	4456	cmd.exe	109
PID 4456 wrote to memory of 2340	4456	cmd.exe	109
PID 3992 wrote to memory of 1436	3992	cmd.exe	110
PID 3992 wrote to memory of 1436	3992	cmd.exe	110
PID 3992 wrote to memory of 1436	3992	cmd.exe	110
PID 4464 wrote to memory of 1688	4464	cmd.exe	111
PID 4464 wrote to memory of 1688	4464	cmd.exe	111
PID 4464 wrote to memory of 1688	4464	cmd.exe	111
PID 1904 wrote to memory of 2416	1904	cmd.exe	112
PID 1904 wrote to memory of 2416	1904	cmd.exe	112
PID 1904 wrote to memory of 2416	1904	cmd.exe	112
PID 1568 wrote to memory of 992	1568	cmd.exe	113
PID 1568 wrote to memory of 992	1568	cmd.exe	113
PID 1568 wrote to memory of 992	1568	cmd.exe	113
PID 2228 wrote to memory of 1660	2228	cmd.exe	114
PID 2228 wrote to memory of 1660	2228	cmd.exe	114
PID 2228 wrote to memory of 1660	2228	cmd.exe	114
PID 3844 wrote to memory of 2552	3844	cmd.exe	115
PID 3844 wrote to memory of 2552	3844	cmd.exe	115
PID 3844 wrote to memory of 2552	3844	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\b7610b29b6fc96eddab572de747c98c8.exe
"C:\Users\Admin\AppData\Local\Temp\b7610b29b6fc96eddab572de747c98c8.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B7610B~1.EXE > nul
  2⤵
  PID:2020

C:\Windows\SysWOW64\sript.exe
C:\Windows\SysWOW64\sript.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sript.exe

Filesize
60KB

MD5
b7610b29b6fc96eddab572de747c98c8

SHA1
327aca62c2d66dfe51f0c74005ae3dc7d4d8daf9

SHA256
3bd5e935b3a87f5a0b0f9e109b679c18a3735f3b9cbc6bd04bc542c4825614b8

SHA512
8ad806c24a411ed7783c73250b20aef73843eea765822f35ff1f5692e36dff9351b157cf38474bf83ebfe0391deb9e393d9adf5b78c4dff3744b67d05fbf8d1c

Download Submit