36f011d3dfc20da567a3eda3d14feb1232f29b0fa935a923bbc5ba3c95ae66ba

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd1b42e0e484634e0e96b61472d58203.exe
Size

16.6MB
MD5

cd1b42e0e484634e0e96b61472d58203
SHA1

d6e1aa2769f8f9da2294a5fadc5bff5bdc59b4ee
SHA256

36f011d3dfc20da567a3eda3d14feb1232f29b0fa935a923bbc5ba3c95ae66ba
SHA512

711270024853d8f379ecef9e8cae8e4c1204337d41d86c80b21541bd0b884f3293686577360f38ca3df05ec5addfa3d4f83585ae1d00e58de9ff4e68ed58e331
SSDEEP

12288:2GzQYR4IeaAVB6ETW82Ku8UKfdndr5P5aRf+pNg9Bvkt0P5aRf+pNg9Bvkt0P5a6:28lgaAVB6evW8UKlndr9777777777N

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2760	gghiijj.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	cd1b42e0e484634e0e96b61472d58203.exe
2232	cd1b42e0e484634e0e96b61472d58203.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Help\upbiran.ini	cd1b42e0e484634e0e96b61472d58203.exe
File created	C:\Windows\SysWOW64\Help\1.fjmorst	cd1b42e0e484634e0e96b61472d58203.exe
File created	C:\Windows\SysWOW64\Help\2.fjmorst	cd1b42e0e484634e0e96b61472d58203.exe
File created	C:\Windows\SysWOW64\fjmorst\fjmorst\tuuvwww\m.ini	cd1b42e0e484634e0e96b61472d58203.exe
File created	C:\Windows\SysWOW64\fjmorst\fjmorst\tuuvwww\gghiijj.exe	cd1b42e0e484634e0e96b61472d58203.exe
File opened for modification	C:\Windows\SysWOW64\fjmorst\fjmorst\tuuvwww\gghiijj.exe	cd1b42e0e484634e0e96b61472d58203.exe
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\jmorstf\jmorstf.exe	cd1b42e0e484634e0e96b61472d58203.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2760 set thread context of 2532	2760	gghiijj.exe	29

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\fjmorst.hlp	cd1b42e0e484634e0e96b61472d58203.exe
File created	C:\Windows\2.ini	cd1b42e0e484634e0e96b61472d58203.exe
File opened for modification	C:\Windows\	cd1b42e0e484634e0e96b61472d58203.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2232	cd1b42e0e484634e0e96b61472d58203.exe
2232	cd1b42e0e484634e0e96b61472d58203.exe
2232	cd1b42e0e484634e0e96b61472d58203.exe
2232	cd1b42e0e484634e0e96b61472d58203.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	cd1b42e0e484634e0e96b61472d58203.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2760	2232	cd1b42e0e484634e0e96b61472d58203.exe	28
PID 2232 wrote to memory of 2760	2232	cd1b42e0e484634e0e96b61472d58203.exe	28
PID 2232 wrote to memory of 2760	2232	cd1b42e0e484634e0e96b61472d58203.exe	28
PID 2232 wrote to memory of 2760	2232	cd1b42e0e484634e0e96b61472d58203.exe	28
PID 2760 wrote to memory of 2532	2760	gghiijj.exe	29
PID 2760 wrote to memory of 2532	2760	gghiijj.exe	29
PID 2760 wrote to memory of 2532	2760	gghiijj.exe	29
PID 2760 wrote to memory of 2532	2760	gghiijj.exe	29
PID 2760 wrote to memory of 2532	2760	gghiijj.exe	29
PID 2760 wrote to memory of 2532	2760	gghiijj.exe	29

C:\Users\Admin\AppData\Local\Temp\cd1b42e0e484634e0e96b61472d58203.exe
"C:\Users\Admin\AppData\Local\Temp\cd1b42e0e484634e0e96b61472d58203.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\fjmorst\fjmorst\tuuvwww\gghiijj.exe
  C:\Windows\system32\fjmorst\fjmorst\tuuvwww\gghiijj.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -NetworkService
    3⤵
    PID:2532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Help\1.fjmorst

Filesize
26B

MD5
8b7a9e68b11c5c1fbf1aefbc7865a340

SHA1
818e73df0641c2dd2629d786c4a6019d269cc24f

SHA256
515e4369070ec802fa78ec627bad97c201d2c62a53e0db77ddee44baa677c820

SHA512
c428bbab8b8675651338301e4595bcf4860ee6de5402799903f42f0e6e6c82f7f62c8d77269eda0efb3776020fd4979595529c42ae8571da6efcf354be537c1f

Download Submit
C:\Windows\SysWOW64\Help\2.fjmorst

Filesize
18B

MD5
2649eddeb064414c775c6aedf625108d

SHA1
bb6cc26272f2c14138eefb5b6195599cbb894353

SHA256
ca0a9f11a77c9e17f0cca943644c3a29ccc9d3eb52e57e616ec0f375f46e8758

SHA512
949ff6c90f8b3d8d030882b5fc2c8f890f2730b79970e09f23f2c3d23aa8323fddf68eee37ab053fd9a9c37a46db7e9e6f7a831f4ee2afe54e8631f3b1f0cff8

Download Submit
C:\Windows\SysWOW64\Help\upbiran.ini

Filesize
18B

MD5
bca421559cc8ae5b290981e98617c4e6

SHA1
b040b53c9c8e9f6e2111b83d8b23d6292f10a049

SHA256
4c47c7f2da20f1d183e8232e4233add5b60820c0baa057c4d37ac0742c2afb8a

SHA512
7ea695506e9c6592f5f72946fc3752001cdbb13178e4fc04dd2cc8c77c48a26f61fbd1304134b6890cc5cd916268853e33ecb1cb74a885b29bd058ad489f1393

Download Submit
C:\Windows\SysWOW64\fjmorst\fjmorst\tuuvwww\gghiijj.exe

Filesize
1.1MB

MD5
808ffefaaec4e8e361341709f1ad8b2f

SHA1
3c42a11735966f2d29caab38a58eb1d0f89154db

SHA256
5c3f4f3fd4a02bf458165b04c8313c45aac7b8ae938429ee5b1a04bd4cd50ea5

SHA512
c7d440c6dc6c44a2e9d769c4fda707679ba88e6bf31056fe75bab969ab3cd4bde9a49e85ab922f819e8fdf1c8a9ae4b73e06159c83d2507527fe4095818b920c

Download Submit
C:\Windows\SysWOW64\fjmorst\fjmorst\tuuvwww\gghiijj.exe

Filesize
9.2MB

MD5
08a706a1e30d42badc2da8783a674eb9

SHA1
bb98dbd234d8a869b9bcd87f32b4757781181358

SHA256
08747e99e34b718bc1054231d6794325f374056732c5da07f79e7cafae7011ca

SHA512
17f937e37156e37f22205caa60f71d6032e13f810aed660cad8a41752f23b5ad6914346f7981034b3eba002593be2ba2b34424b62cfa523d8d536ee8fead2b04

Download Submit
C:\Windows\SysWOW64\fjmorst\fjmorst\tuuvwww\m.ini

Filesize
128B

MD5
a1a717ca8d7abdd5b4ab01bbf3c6e142

SHA1
75790365af7604eaf5d2fd543e41de43ce49ee26

SHA256
f2a62ac399d5e2bab992aee6a56777cd7b242585e759db92f6adddbab40d9960

SHA512
e04fbf91ad3944bbf4c10bb591903a19de6238c0ba31167b3f7cd7de30c1cf3fd9aa8afcbd8bd588e853f0f944471c5e68a42f0f637e5f4259313522b2d28444

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\jmorstf\jmorstf000.IMD

Filesize
1.2MB

MD5
c45686d252e927d4f07f961bb7395684

SHA1
06ce9bf176ca39ee82d790db5698bb2e571dea89

SHA256
d8fe1e7be2238a0236ad70185603ce318ffdc7c64a4f166019598b8117dfcb41

SHA512
1cd83ae5991f711d327e2036bf377b590780c411cfb0e2968337b5eddd62e9766f212a220edcbc9ae67d0e6cedbc0c7ba42024bd4a769ca82e42a6df50fc980c

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\jmorstf\jmorstf001.IMD

Filesize
1.7MB

MD5
575bcaa6693cf5ded045668a3111f7c2

SHA1
919197ef061c66cfd6e79da251d46ac78c7225ee

SHA256
a6b5b8c707bbbb3decfad31734ef6dc40d3ee8dddd1c7198763e23b20d251d7d

SHA512
80ea5eeb6d93caab02391cc2f59c76b0e4aada896b542744772dbfe958cb2b3403d9878208c0bb4413d9b2e667528a7cb3ed41c7bca46ac88af63340a251468e

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\jmorstf\jmorstf002.IMD

Filesize
1.7MB

MD5
230d08152c62fd6e96f2905b377e2c26

SHA1
ea743bbbaf71067fd2429470be512098fe980e3b

SHA256
5addb64d50acbafc0316a2be046e81cf84db297d420ae0e028444fb05e2fa5fc

SHA512
2ce4e4ad5e36f8e6b2668cd50c2dcb6ebec8836fce53ea8ee375afbb0444b1369a7aee78d10712092ac1e10775bda7a53c62c2dcc9d9481c5523286132826c6c

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\jmorstf\jmorstf003.IMD

Filesize
1.7MB

MD5
77bcccf0a9ed252043a7b3b450307cab

SHA1
eaaf037a2c12b19fe59107a2547ef7d205fb6f1e

SHA256
2c69ab92a24a5bf5ce3842c0ba8a7efe22189592a6a2f2d44ec19654aeb7c02e

SHA512
56b0ae58a1bf05e1f4e0ad3a9e98c6dd45d9ae0d2f310a364480bdd9445ce3a3031cfc64264df70945908131274a59a2697626dfe10df2f0d94f94bf5154fc91

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\jmorstf\jmorstf004.IMD

Filesize
1.7MB

MD5
085958b62e00e67ba4113ada450609c1

SHA1
d551f70a355b36d5fc0545c402c257fd7c641268

SHA256
1b7058085469dec5504c47a6fc837e22c34670613643fdab50e65ed399382300

SHA512
bbbdbfa02d36ed6351dce7e4ecdefc356d2c0b9c71eac1f5158b58125d2726a19aa7e85566b61276cb0b281ec1a839969b0bc0e6e62b947136a2fa63e83407b5

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\jmorstf\jmorstf005.IMD

Filesize
1.7MB

MD5
0c82424143be7bf3f72d62869361cfb4

SHA1
b69c486eed53598465f3c50bc2da5b4ea140b090

SHA256
23e2663eaa8de2631c6ddb7cff51c12c8394f6c6350c336829f41189c9122a03

SHA512
dc07b4ca327f175419aada0454917c441876ee706c3bcfc6047385a95961b09752108e0fa1eb21938ca6e20c9114ad613bba622a6f76815ef8a6e1508315fff6

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\jmorstf\jmorstf006.IMD

Filesize
1.7MB

MD5
85fedb76a9af6bf2c5d4e59b48056369

SHA1
e8915bfe4df2ebfc686b63c25d242e9d583349e7

SHA256
accb3155a2fd08db4cdc251dac16d193eb1b615d5a2a1cfdc5937de4c755762e

SHA512
92ebadc4e9575c346e099b1a276045b6de96ced1a53aec9a5e0d266b34eeb33147b49a39d0c972e58e48c021b1482bca4fa5810ab799e260e82b658407a0809b

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\jmorstf\jmorstf007.IMD

Filesize
1.7MB

MD5
a6af9ea60508a893f68a71190ae8d2c3

SHA1
a3530f9c11e557ec6c30aaaee67e64a7d8cb1694

SHA256
0002f98e257fe3381bd890fadbd4b9a0b29b7ce9caaf8d30650a4337cb2da435

SHA512
9140233b1b30daf028cd90319204c3d4f433636f2e77418def4b94d61c44726fdee68c0a7bd443d3d6698865914d99117309e577aee799b9599eb19a36091680

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\jmorstf\jmorstf008.IMD

Filesize
1.7MB

MD5
db80c34d203ac42d8f0dd8e7940b612d

SHA1
61a4e268dc9ce50bdf62497820eff56586de2b05

SHA256
c284a1891ed875e6c5a0efa46191c79f822e4796f10b5dc0cbb8ee04a00aea08

SHA512
52cb9720be0f28dc54641ee552a7bf086cb9c38f145f0a666e024daec5f70639b8e1f3071f37339ab63df36efedf19014b06d1eb92cf45392535c34711fd28a1

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\jmorstf\jmorstf009.IMD

Filesize
1.7MB

MD5
da024f186fb5c86f6e77f3f7422e629c

SHA1
8630b58b889d1a3367dfcbe7acb0ab0a4ad08bba

SHA256
7b45b08f7e3d694615dc0ee517954cc554e0de34bd6a15020673c18cac7a0b54

SHA512
23a8f685ea47d968151846927cdbae0e565758e49c9741636c431026394f6741c65010063f8b4195f100cc8ed822112003934b726d69412e3b8ea7deb21a6199

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\jmorstf\jmorstf010.IMD

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
\Windows\SysWOW64\fjmorst\fjmorst\tuuvwww\gghiijj.exe

Filesize
5.8MB

MD5
8b63ab0c23ef73afd43f37c92d702e5e

SHA1
78d5535f2505f7b1e1b687bf02e222a8c8fad501

SHA256
54c89a2dfcf737990c916a6d52b1669e03b22429c8b294ac198e75afd3b2fbf6

SHA512
9d93f0c659767b3afdc912b886b9a20949e90169539a97257d2d7c3f7549eed8d30a2dc37cf3a2d7cd603ed43d8a52f0ccd8dddf066cca2a3b3f7c735b316e0d

Download Submit
\Windows\SysWOW64\fjmorst\fjmorst\tuuvwww\gghiijj.exe

Filesize
10.1MB

MD5
2a0599bb13549d56a55822144ae12705

SHA1
7e21f68945ced0e680ab3e04eda2df1991793277

SHA256
be2bb7d9044d2cf0b788a6f0f7cf5ad73500b2c8c1c30c1ce6e9f316f5053f59

SHA512
0b4730bd847c441862c6898f2451cb32d938679d438c89554265e75cba4c0297804b5cea930596d40b02736536c729756ef3ca1f66fd3045013ef7715921e90b

Download Submit
memory/2232-71-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-56-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-76-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-75-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-74-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-73-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-64-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-65-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-66-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-67-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-68-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-69-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-70-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2232-72-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2532-59-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2532-61-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2532-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-63-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download