3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 20:49

Target

3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe
Size

31KB
MD5

5dbdb42fe9bbd3c1d820cdb3e89f578e
SHA1

28f2efe59cf3d355db90be70aa6d2e1547d8e7b0
SHA256

3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675
SHA512

ed3781c395fae7184a1b00f0605b32e8cc5f0452b993df455a0dd6088be47fefe6d35f0e202d47ef7aca0bfe43d255d6bcd34bca2c20f3ca6ed67556a8840574
SSDEEP

768:GT4wO+PkS0JAVnVibDdPNOLxdGvVkT/bmyf65rTv:aO+nVS4B3S5X

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2852	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2992	system32smass.exe
2668	system32smass.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 2868	2668	system32smass.exe	31

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32smass.exe	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe
File opened for modification	C:\Windows\system32smass.exe	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2912	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2992	2912	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	28
PID 2912 wrote to memory of 2992	2912	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	28
PID 2912 wrote to memory of 2992	2912	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	28
PID 2912 wrote to memory of 2992	2912	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	28
PID 2912 wrote to memory of 2852	2912	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	29
PID 2912 wrote to memory of 2852	2912	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	29
PID 2912 wrote to memory of 2852	2912	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	29
PID 2912 wrote to memory of 2852	2912	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	29
PID 2668 wrote to memory of 2868	2668	system32smass.exe	31
PID 2668 wrote to memory of 2868	2668	system32smass.exe	31
PID 2668 wrote to memory of 2868	2668	system32smass.exe	31
PID 2668 wrote to memory of 2868	2668	system32smass.exe	31
PID 2668 wrote to memory of 2868	2668	system32smass.exe	31
PID 2668 wrote to memory of 2868	2668	system32smass.exe	31

C:\Users\Admin\AppData\Local\Temp\3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe
"C:\Users\Admin\AppData\Local\Temp\3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\system32smass.exe
  "C:\Windows\system32smass.exe"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\3D50DE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2852

C:\Windows\system32smass.exe
C:\Windows\system32smass.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2868

C:\Windows\system32smass.exe

Filesize
31KB

MD5
5dbdb42fe9bbd3c1d820cdb3e89f578e

SHA1
28f2efe59cf3d355db90be70aa6d2e1547d8e7b0

SHA256
3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675

SHA512
ed3781c395fae7184a1b00f0605b32e8cc5f0452b993df455a0dd6088be47fefe6d35f0e202d47ef7aca0bfe43d255d6bcd34bca2c20f3ca6ed67556a8840574

Download Submit
memory/2868-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2868-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download