7d00e776beae8174766c0f23eb6ffd45be9a1a363f9e99d8730d3fa124c7da5e

Analysis

max time kernel
2s
max time network
7s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 09:31

Target

c58715637ad798caaf07dcb2656e3ebe.exe
Size

22KB
MD5

c58715637ad798caaf07dcb2656e3ebe
SHA1

252126360690e7711e4087913d53a66aba17d604
SHA256

7d00e776beae8174766c0f23eb6ffd45be9a1a363f9e99d8730d3fa124c7da5e
SHA512

993080d3cea005aa6c6cdd64f3efdcfb93dfda48b608da234dff5dd46990f244275eba1b9782e4767c2e80bd5511f4dd7374ba292c3e33ee640b3caf6d346904
SSDEEP

384:AX3yCe0wo1uEIAEIFB2SEnApeUT1ATeZKKGo9LBrRBVbOeQw9wqS7AGKha:UEJBAEIFBbENI1Ay0K1BBrrhTwqoKh

Score

8^/10

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	c58715637ad798caaf07dcb2656e3ebe.exe

Executes dropped EXE 1 IoCs

pid	Process
2872	ntsys.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ntsys.exe	c58715637ad798caaf07dcb2656e3ebe.exe
File created	C:\Windows\ntkros.dll	c58715637ad798caaf07dcb2656e3ebe.exe
File opened for modification	C:\Windows\ntsys.exe	c58715637ad798caaf07dcb2656e3ebe.exe
File opened for modification	C:\Windows\ntkros.dll	c58715637ad798caaf07dcb2656e3ebe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2304	c58715637ad798caaf07dcb2656e3ebe.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2872	2304	c58715637ad798caaf07dcb2656e3ebe.exe	28
PID 2304 wrote to memory of 2872	2304	c58715637ad798caaf07dcb2656e3ebe.exe	28
PID 2304 wrote to memory of 2872	2304	c58715637ad798caaf07dcb2656e3ebe.exe	28
PID 2304 wrote to memory of 2872	2304	c58715637ad798caaf07dcb2656e3ebe.exe	28
PID 2304 wrote to memory of 2936	2304	c58715637ad798caaf07dcb2656e3ebe.exe	29
PID 2304 wrote to memory of 2936	2304	c58715637ad798caaf07dcb2656e3ebe.exe	29
PID 2304 wrote to memory of 2936	2304	c58715637ad798caaf07dcb2656e3ebe.exe	29
PID 2304 wrote to memory of 2936	2304	c58715637ad798caaf07dcb2656e3ebe.exe	29

C:\Users\Admin\AppData\Local\Temp\c58715637ad798caaf07dcb2656e3ebe.exe
"C:\Users\Admin\AppData\Local\Temp\c58715637ad798caaf07dcb2656e3ebe.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\ntsys.exe
  "C:\Windows\ntsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C58715~1.EXE > nul
  2⤵
  PID:2936

C:\Windows\ntkros.dll

Filesize
13KB

MD5
7d603dfd94f1d38d647c497d7dce4747

SHA1
5356cd4dc1efba6c131c3082f6b61febe8662823

SHA256
2c773572da1f373f5cc427ce95fb50200b168264849ad80d8a39b2b8df50ca01

SHA512
89e0c204a3ffb37ff0c9e73f2564a05e197d50d5024f1b6a0981c8bbcfa888cc1b44cf4dfe8f8f33edb3e25dd8c22d1abeab46468ee6e1d601b190372aadb78c

Download Submit
C:\Windows\ntsys.exe

Filesize
7KB

MD5
820232ceadafae815dfeb18359297be4

SHA1
c86e4192a183f26ffba6460b8806409f4140f537

SHA256
8f1fe4437ead74dd2f3e4aad99e3645b91441fda7ed04b44325ec7b9af032068

SHA512
c843e1425dc7c33991a958518a9dd365aeed5381617aa943d4e4a321c73c8d459fea702c81a946404e0957749b5acc7c84a322e1b1e6e74cd91f1fc316fa62f4

Download Submit
memory/2304-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download