Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 07:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c551fdf9f60edd3149fbea55dbfc95af.exe
Resource
win7-20240220-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
c551fdf9f60edd3149fbea55dbfc95af.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
c551fdf9f60edd3149fbea55dbfc95af.exe
-
Size
134KB
-
MD5
c551fdf9f60edd3149fbea55dbfc95af
-
SHA1
25a3962fd06c99544796e3cebd6090ff3d4ae9d1
-
SHA256
d00f605bbe583b8a5a8c51ba359c964991d5ede4f01aa77d088c8153dbdb6383
-
SHA512
2fb4ade7afb37376cea2c43a12b893b3842042052f091551df3e15e9faf98409ca1b65e6e75452093a4efd7c9eeeebeebafeebe905f2287fe7aa96cf209d43c5
-
SSDEEP
3072:SL/Rr46odCwyomuaegFM6T4x4iycUzI31zCvLim:w26oIFo45I3wTim
Score
1/10
Malware Config
Signatures
-
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol c551fdf9f60edd3149fbea55dbfc95af.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute c551fdf9f60edd3149fbea55dbfc95af.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute\server\ = "sndrec32.exe" c551fdf9f60edd3149fbea55dbfc95af.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing\server c551fdf9f60edd3149fbea55dbfc95af.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing c551fdf9f60edd3149fbea55dbfc95af.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing\server\ = "sndrec32.exe" c551fdf9f60edd3149fbea55dbfc95af.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute\server c551fdf9f60edd3149fbea55dbfc95af.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec c551fdf9f60edd3149fbea55dbfc95af.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3064 c551fdf9f60edd3149fbea55dbfc95af.exe -
Suspicious behavior: MapViewOfSection 21 IoCs
pid Process 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3064 c551fdf9f60edd3149fbea55dbfc95af.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3064 c551fdf9f60edd3149fbea55dbfc95af.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3064 c551fdf9f60edd3149fbea55dbfc95af.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 3064 wrote to memory of 384 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3 PID 3064 wrote to memory of 384 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3 PID 3064 wrote to memory of 384 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 3 PID 3064 wrote to memory of 400 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 4 PID 3064 wrote to memory of 400 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 4 PID 3064 wrote to memory of 400 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 4 PID 3064 wrote to memory of 436 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 5 PID 3064 wrote to memory of 436 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 5 PID 3064 wrote to memory of 436 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 5 PID 3064 wrote to memory of 480 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 6 PID 3064 wrote to memory of 480 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 6 PID 3064 wrote to memory of 480 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 6 PID 3064 wrote to memory of 496 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 7 PID 3064 wrote to memory of 496 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 7 PID 3064 wrote to memory of 496 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 7 PID 3064 wrote to memory of 504 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 8 PID 3064 wrote to memory of 504 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 8 PID 3064 wrote to memory of 504 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 8 PID 3064 wrote to memory of 604 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 9 PID 3064 wrote to memory of 604 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 9 PID 3064 wrote to memory of 604 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 9 PID 3064 wrote to memory of 680 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 10 PID 3064 wrote to memory of 680 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 10 PID 3064 wrote to memory of 680 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 10 PID 3064 wrote to memory of 760 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 11 PID 3064 wrote to memory of 760 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 11 PID 3064 wrote to memory of 760 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 11 PID 3064 wrote to memory of 820 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 12 PID 3064 wrote to memory of 820 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 12 PID 3064 wrote to memory of 820 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 12 PID 3064 wrote to memory of 856 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 13 PID 3064 wrote to memory of 856 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 13 PID 3064 wrote to memory of 856 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 13 PID 3064 wrote to memory of 968 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 15 PID 3064 wrote to memory of 968 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 15 PID 3064 wrote to memory of 968 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 15 PID 3064 wrote to memory of 276 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 16 PID 3064 wrote to memory of 276 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 16 PID 3064 wrote to memory of 276 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 16 PID 3064 wrote to memory of 1040 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 17 PID 3064 wrote to memory of 1040 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 17 PID 3064 wrote to memory of 1040 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 17 PID 3064 wrote to memory of 1064 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 18 PID 3064 wrote to memory of 1064 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 18 PID 3064 wrote to memory of 1064 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 18 PID 3064 wrote to memory of 1104 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 19 PID 3064 wrote to memory of 1104 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 19 PID 3064 wrote to memory of 1104 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 19 PID 3064 wrote to memory of 1112 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 20 PID 3064 wrote to memory of 1112 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 20 PID 3064 wrote to memory of 1112 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 20 PID 3064 wrote to memory of 1164 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 21 PID 3064 wrote to memory of 1164 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 21 PID 3064 wrote to memory of 1164 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 21 PID 3064 wrote to memory of 2044 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 23 PID 3064 wrote to memory of 2044 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 23 PID 3064 wrote to memory of 2044 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 23 PID 3064 wrote to memory of 2820 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 24 PID 3064 wrote to memory of 2820 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 24 PID 3064 wrote to memory of 2820 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 24 PID 3064 wrote to memory of 2908 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 25 PID 3064 wrote to memory of 2908 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 25 PID 3064 wrote to memory of 2908 3064 c551fdf9f60edd3149fbea55dbfc95af.exe 25
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2044
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:760
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:820
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1040
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:276
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1104
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1112
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1164
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2820
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2908
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:496
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:504
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:400
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\c551fdf9f60edd3149fbea55dbfc95af.exe"C:\Users\Admin\AppData\Local\Temp\c551fdf9f60edd3149fbea55dbfc95af.exe"2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
-