6e37719795dcaa145f5a010a733325c4e522e4b175b82ad62d0e918117775a44

Analysis

max time kernel
130s
max time network
141s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 16:53

Target

b9316b71bfc22b42ed355d054e5fce96.exe
Size

497KB
MD5

b9316b71bfc22b42ed355d054e5fce96
SHA1

7da2fdfdbcccc7b4affe3f3eb9eb385bd33b0fdb
SHA256

6e37719795dcaa145f5a010a733325c4e522e4b175b82ad62d0e918117775a44
SHA512

900dc8e36dfac0f401744585ab734bf23b4f3154bb55b6340eb2b7e8efb136c1bf5af865ce89fd6fd18b6a5b0b99f6f3b3154fe603e873778142363d01519712
SSDEEP

12288:wQaGtAC2tT/N5Nnt4IrmenbO/DiyAK5xURXjB4vPvLLRQ:DbtF2NF5Nnt4EmeK+pK0RT2HvLNQ

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2300	svchost.exe -k

Loads dropped DLL 4 IoCs

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe -k	b9316b71bfc22b42ed355d054e5fce96.exe
File opened for modification	C:\Windows\svchost.exe -k	b9316b71bfc22b42ed355d054e5fce96.exe
File created	C:\Windows\DELME.BAT	b9316b71bfc22b42ed355d054e5fce96.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2632	2320	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	b9316b71bfc22b42ed355d054e5fce96.exe
Token: SeDebugPrivilege	2300	svchost.exe -k

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2300	svchost.exe -k

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2088	2300	svchost.exe -k	30
PID 2300 wrote to memory of 2088	2300	svchost.exe -k	30
PID 2300 wrote to memory of 2088	2300	svchost.exe -k	30
PID 2300 wrote to memory of 2088	2300	svchost.exe -k	30
PID 2320 wrote to memory of 2632	2320	b9316b71bfc22b42ed355d054e5fce96.exe	31
PID 2320 wrote to memory of 2632	2320	b9316b71bfc22b42ed355d054e5fce96.exe	31
PID 2320 wrote to memory of 2632	2320	b9316b71bfc22b42ed355d054e5fce96.exe	31
PID 2320 wrote to memory of 2632	2320	b9316b71bfc22b42ed355d054e5fce96.exe	31

C:\Windows\svchost.exe -k
"C:\Windows\svchost.exe -k"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Program Files\Internet ExploreR\IEXPLORE.EXE
  "C:\Program Files\Internet ExploreR\IEXPLORE.EXE"
  2⤵
  PID:2088

C:\Windows\svchost.exe -k

Filesize
497KB

MD5
b9316b71bfc22b42ed355d054e5fce96

SHA1
7da2fdfdbcccc7b4affe3f3eb9eb385bd33b0fdb

SHA256
6e37719795dcaa145f5a010a733325c4e522e4b175b82ad62d0e918117775a44

SHA512
900dc8e36dfac0f401744585ab734bf23b4f3154bb55b6340eb2b7e8efb136c1bf5af865ce89fd6fd18b6a5b0b99f6f3b3154fe603e873778142363d01519712

Download Submit
memory/2300-5-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2300-6-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2300-13-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2300-14-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2320-0-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2320-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2320-12-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download