ef2467f555135c068532ebdd2307e1457f1af60a8682ac998ba581b3133dd514

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/03/2024, 15:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d3da4a3513462f955493c3c1d3f74bca.exe
Size

85KB
MD5

d3da4a3513462f955493c3c1d3f74bca
SHA1

9956a5e0fff6fd1a19599836e4c6068602eaa2c2
SHA256

ef2467f555135c068532ebdd2307e1457f1af60a8682ac998ba581b3133dd514
SHA512

e481b6b5a69b1b2ef96bb05559bfd62fa707da9fba0f479d169ce676b2b80798502572bb482659d123ad466451f9a6ac3e265b2a7228bcaaa9d8fbfdd7eb678c
SSDEEP

1536:RFwOnbNQKLjWDyy1o5I06JUEbooPRrKKR8fWA4UcNMVO7A:dNQKPWDyDI06JltZrpR8fdBpg

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2208	d3da4a3513462f955493c3c1d3f74bca.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe
2208	d3da4a3513462f955493c3c1d3f74bca.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	d3da4a3513462f955493c3c1d3f74bca.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 372	2208	d3da4a3513462f955493c3c1d3f74bca.exe	3
PID 2208 wrote to memory of 372	2208	d3da4a3513462f955493c3c1d3f74bca.exe	3
PID 2208 wrote to memory of 372	2208	d3da4a3513462f955493c3c1d3f74bca.exe	3
PID 2208 wrote to memory of 372	2208	d3da4a3513462f955493c3c1d3f74bca.exe	3
PID 2208 wrote to memory of 372	2208	d3da4a3513462f955493c3c1d3f74bca.exe	3
PID 2208 wrote to memory of 372	2208	d3da4a3513462f955493c3c1d3f74bca.exe	3
PID 2208 wrote to memory of 380	2208	d3da4a3513462f955493c3c1d3f74bca.exe	4
PID 2208 wrote to memory of 380	2208	d3da4a3513462f955493c3c1d3f74bca.exe	4
PID 2208 wrote to memory of 380	2208	d3da4a3513462f955493c3c1d3f74bca.exe	4
PID 2208 wrote to memory of 380	2208	d3da4a3513462f955493c3c1d3f74bca.exe	4
PID 2208 wrote to memory of 380	2208	d3da4a3513462f955493c3c1d3f74bca.exe	4
PID 2208 wrote to memory of 380	2208	d3da4a3513462f955493c3c1d3f74bca.exe	4
PID 2208 wrote to memory of 420	2208	d3da4a3513462f955493c3c1d3f74bca.exe	5
PID 2208 wrote to memory of 420	2208	d3da4a3513462f955493c3c1d3f74bca.exe	5
PID 2208 wrote to memory of 420	2208	d3da4a3513462f955493c3c1d3f74bca.exe	5
PID 2208 wrote to memory of 420	2208	d3da4a3513462f955493c3c1d3f74bca.exe	5
PID 2208 wrote to memory of 420	2208	d3da4a3513462f955493c3c1d3f74bca.exe	5
PID 2208 wrote to memory of 420	2208	d3da4a3513462f955493c3c1d3f74bca.exe	5
PID 2208 wrote to memory of 464	2208	d3da4a3513462f955493c3c1d3f74bca.exe	6
PID 2208 wrote to memory of 464	2208	d3da4a3513462f955493c3c1d3f74bca.exe	6
PID 2208 wrote to memory of 464	2208	d3da4a3513462f955493c3c1d3f74bca.exe	6
PID 2208 wrote to memory of 464	2208	d3da4a3513462f955493c3c1d3f74bca.exe	6
PID 2208 wrote to memory of 464	2208	d3da4a3513462f955493c3c1d3f74bca.exe	6
PID 2208 wrote to memory of 464	2208	d3da4a3513462f955493c3c1d3f74bca.exe	6
PID 2208 wrote to memory of 480	2208	d3da4a3513462f955493c3c1d3f74bca.exe	7
PID 2208 wrote to memory of 480	2208	d3da4a3513462f955493c3c1d3f74bca.exe	7
PID 2208 wrote to memory of 480	2208	d3da4a3513462f955493c3c1d3f74bca.exe	7
PID 2208 wrote to memory of 480	2208	d3da4a3513462f955493c3c1d3f74bca.exe	7
PID 2208 wrote to memory of 480	2208	d3da4a3513462f955493c3c1d3f74bca.exe	7
PID 2208 wrote to memory of 480	2208	d3da4a3513462f955493c3c1d3f74bca.exe	7
PID 2208 wrote to memory of 488	2208	d3da4a3513462f955493c3c1d3f74bca.exe	8
PID 2208 wrote to memory of 488	2208	d3da4a3513462f955493c3c1d3f74bca.exe	8
PID 2208 wrote to memory of 488	2208	d3da4a3513462f955493c3c1d3f74bca.exe	8
PID 2208 wrote to memory of 488	2208	d3da4a3513462f955493c3c1d3f74bca.exe	8
PID 2208 wrote to memory of 488	2208	d3da4a3513462f955493c3c1d3f74bca.exe	8
PID 2208 wrote to memory of 488	2208	d3da4a3513462f955493c3c1d3f74bca.exe	8
PID 2208 wrote to memory of 584	2208	d3da4a3513462f955493c3c1d3f74bca.exe	9
PID 2208 wrote to memory of 584	2208	d3da4a3513462f955493c3c1d3f74bca.exe	9
PID 2208 wrote to memory of 584	2208	d3da4a3513462f955493c3c1d3f74bca.exe	9
PID 2208 wrote to memory of 584	2208	d3da4a3513462f955493c3c1d3f74bca.exe	9
PID 2208 wrote to memory of 584	2208	d3da4a3513462f955493c3c1d3f74bca.exe	9
PID 2208 wrote to memory of 584	2208	d3da4a3513462f955493c3c1d3f74bca.exe	9
PID 2208 wrote to memory of 664	2208	d3da4a3513462f955493c3c1d3f74bca.exe	10
PID 2208 wrote to memory of 664	2208	d3da4a3513462f955493c3c1d3f74bca.exe	10
PID 2208 wrote to memory of 664	2208	d3da4a3513462f955493c3c1d3f74bca.exe	10
PID 2208 wrote to memory of 664	2208	d3da4a3513462f955493c3c1d3f74bca.exe	10
PID 2208 wrote to memory of 664	2208	d3da4a3513462f955493c3c1d3f74bca.exe	10
PID 2208 wrote to memory of 664	2208	d3da4a3513462f955493c3c1d3f74bca.exe	10
PID 2208 wrote to memory of 756	2208	d3da4a3513462f955493c3c1d3f74bca.exe	11
PID 2208 wrote to memory of 756	2208	d3da4a3513462f955493c3c1d3f74bca.exe	11
PID 2208 wrote to memory of 756	2208	d3da4a3513462f955493c3c1d3f74bca.exe	11
PID 2208 wrote to memory of 756	2208	d3da4a3513462f955493c3c1d3f74bca.exe	11
PID 2208 wrote to memory of 756	2208	d3da4a3513462f955493c3c1d3f74bca.exe	11
PID 2208 wrote to memory of 756	2208	d3da4a3513462f955493c3c1d3f74bca.exe	11
PID 2208 wrote to memory of 796	2208	d3da4a3513462f955493c3c1d3f74bca.exe	12
PID 2208 wrote to memory of 796	2208	d3da4a3513462f955493c3c1d3f74bca.exe	12
PID 2208 wrote to memory of 796	2208	d3da4a3513462f955493c3c1d3f74bca.exe	12
PID 2208 wrote to memory of 796	2208	d3da4a3513462f955493c3c1d3f74bca.exe	12
PID 2208 wrote to memory of 796	2208	d3da4a3513462f955493c3c1d3f74bca.exe	12
PID 2208 wrote to memory of 796	2208	d3da4a3513462f955493c3c1d3f74bca.exe	12
PID 2208 wrote to memory of 840	2208	d3da4a3513462f955493c3c1d3f74bca.exe	13
PID 2208 wrote to memory of 840	2208	d3da4a3513462f955493c3c1d3f74bca.exe	13
PID 2208 wrote to memory of 840	2208	d3da4a3513462f955493c3c1d3f74bca.exe	13
PID 2208 wrote to memory of 840	2208	d3da4a3513462f955493c3c1d3f74bca.exe	13

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:584
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1972
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:664
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:756
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:796
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1168
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:840
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:296
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:852
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1080
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1092
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1992
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2064
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:480
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\d3da4a3513462f955493c3c1d3f74bca.exe
  "C:\Users\Admin\AppData\Local\Temp\d3da4a3513462f955493c3c1d3f74bca.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2208-0-0x0000000001000000-0x0000000001019000-memory.dmp

Filesize
100KB

Download
memory/2208-1-0x00000000776A0000-0x00000000776A1000-memory.dmp

Filesize
4KB

Download
memory/2208-2-0x000000007769F000-0x00000000776A0000-memory.dmp

Filesize
4KB

Download
memory/2208-3-0x0000000001000000-0x0000000001019000-memory.dmp

Filesize
100KB

Download