463941e73ca7d480f0dc88833eaa7a9cb33807d1ac35fe7872803a442cd8aa95

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 23:29

Target

c9e76d9d78a66390b806601b94fb766b.exe
Size

742KB
MD5

c9e76d9d78a66390b806601b94fb766b
SHA1

7b06831ca0e17aec6b3ef6922a482489faf0201b
SHA256

463941e73ca7d480f0dc88833eaa7a9cb33807d1ac35fe7872803a442cd8aa95
SHA512

fb8a971761802fa5ce0a1934cd211d92e06d097c65d3da920520ff1188f6f7dd0e5eafee5c50a1cdb4d359f3b2cbbac3839fc0147acdd987ec99f6f87639b174
SSDEEP

12288:ARyTY+2U4uan/8RdW5A0zyxuJwQ5oAlK+Gx/vZuIkAbQQ52LYRg08y5rDRz:k6iU4ucwdW5A2RJr/k3/vcIkA33P

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2096	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.BAT	c9e76d9d78a66390b806601b94fb766b.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\pRogram FilesD:\Program Files\Windows.com.cn.exe	c9e76d9d78a66390b806601b94fb766b.exe
File opened for modification	C:\pRogram FilesD:\Program Files\Windows.com.cn.exe	c9e76d9d78a66390b806601b94fb766b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	c9e76d9d78a66390b806601b94fb766b.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2096	1972	c9e76d9d78a66390b806601b94fb766b.exe	28
PID 1972 wrote to memory of 2096	1972	c9e76d9d78a66390b806601b94fb766b.exe	28
PID 1972 wrote to memory of 2096	1972	c9e76d9d78a66390b806601b94fb766b.exe	28
PID 1972 wrote to memory of 2096	1972	c9e76d9d78a66390b806601b94fb766b.exe	28
PID 1972 wrote to memory of 2096	1972	c9e76d9d78a66390b806601b94fb766b.exe	28
PID 1972 wrote to memory of 2096	1972	c9e76d9d78a66390b806601b94fb766b.exe	28
PID 1972 wrote to memory of 2096	1972	c9e76d9d78a66390b806601b94fb766b.exe	28

C:\Users\Admin\AppData\Local\Temp\c9e76d9d78a66390b806601b94fb766b.exe
"C:\Users\Admin\AppData\Local\Temp\c9e76d9d78a66390b806601b94fb766b.exe"
1⤵
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.BAT
  2⤵
  - Deletes itself
  PID:2096

C:\Windows\uninstal.BAT

Filesize
190B

MD5
48d925b8f3d237429bdba6a6e061737b

SHA1
5b0782826ec40440173f8a0421234e791d9d1b89

SHA256
4b240828db23f8a6af6e359392209d77e042830254718eef8bc5dc020162b510

SHA512
a1e952ed85f4949efe644ecfbb880fc6d7e748ad4bff168c556ab30b12755fbbce600db7de185a0133884f016ed2211f5f342cf387b024041646c02d3ab31bb2

Download Submit
memory/1972-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1972-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1972-9-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download