27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732

Analysis

max time kernel
17s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
Size

733KB
MD5

3920c23bc5bf04211bf972aca575e55b
SHA1

93537135ee51857248063359e2ba73c3c66bf98f
SHA256

27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732
SHA512

7c93bee505f7ea9f831533d707329b85089c953263b7916806822d8b6d22593691ee47d6254b9ecaf5c96abe1f2938bbb9fef4bd95124d5e906e677490546972
SSDEEP

12288:PWuMuanZhZGbaWuMuanZhZGb3LAPlJ8/6vrQUACkQvBKS/L8pi9mQ47:yueZG3ueZGeS6LYQ

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2240	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	30
PID 2508 wrote to memory of 2240	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	30
PID 2508 wrote to memory of 2240	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	30
PID 2508 wrote to memory of 2240	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	30
PID 2240 wrote to memory of 1200	2240	csc.exe	31
PID 2240 wrote to memory of 1200	2240	csc.exe	31
PID 2240 wrote to memory of 1200	2240	csc.exe	31
PID 2240 wrote to memory of 1200	2240	csc.exe	31
PID 2508 wrote to memory of 2552	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	32
PID 2508 wrote to memory of 2552	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	32
PID 2508 wrote to memory of 2552	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	32
PID 2508 wrote to memory of 2552	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	32
PID 2508 wrote to memory of 2552	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	32
PID 2508 wrote to memory of 2552	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	32
PID 2508 wrote to memory of 2552	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	32
PID 2508 wrote to memory of 2548	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	33
PID 2508 wrote to memory of 2548	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	33
PID 2508 wrote to memory of 2548	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	33
PID 2508 wrote to memory of 2548	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	33
PID 2508 wrote to memory of 2548	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	33
PID 2508 wrote to memory of 2548	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	33
PID 2508 wrote to memory of 2548	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	33
PID 2508 wrote to memory of 2912	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	34
PID 2508 wrote to memory of 2912	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	34
PID 2508 wrote to memory of 2912	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	34
PID 2508 wrote to memory of 2912	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	34
PID 2508 wrote to memory of 2912	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	34
PID 2508 wrote to memory of 2912	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	34
PID 2508 wrote to memory of 2912	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	34
PID 2508 wrote to memory of 2808	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	35
PID 2508 wrote to memory of 2808	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	35
PID 2508 wrote to memory of 2808	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	35
PID 2508 wrote to memory of 2808	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	35
PID 2508 wrote to memory of 2808	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	35
PID 2508 wrote to memory of 2808	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	35
PID 2508 wrote to memory of 2808	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	35
PID 2508 wrote to memory of 2484	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	36
PID 2508 wrote to memory of 2484	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	36
PID 2508 wrote to memory of 2484	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	36
PID 2508 wrote to memory of 2484	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	36
PID 2508 wrote to memory of 2484	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	36
PID 2508 wrote to memory of 2484	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	36
PID 2508 wrote to memory of 2484	2508	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	36

C:\Users\Admin\AppData\Local\Temp\27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
"C:\Users\Admin\AppData\Local\Temp\27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o3l3gtlm\o3l3gtlm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DEA.tmp" "c:\Users\Admin\AppData\Local\Temp\o3l3gtlm\CSCD86E9E051FD44B2C947D233210DFC82.TMP"
    3⤵
    PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3DEA.tmp

Filesize
1KB

MD5
a568e450a6fb4e3ba4d04e4c84ae748a

SHA1
ba5d05d550f477f01c8efcf9547acb77149c83bc

SHA256
ac81175b9cf60e1f2003f23ef7afa25ca52107b3126ca4b7621f21b15f990142

SHA512
869fd0d79411f1c1d0d9f0bea2d8d856f3286e1b1f044312f1f19e1493ed291dffc2cbd96d4b158e0791ff778f1627c18c13f491593a9a14c26cdd8ded6d1941

Download Submit
C:\Users\Admin\AppData\Local\Temp\o3l3gtlm\o3l3gtlm.dll

Filesize
4KB

MD5
39be988272bb17210fbadd0f1c64f2c5

SHA1
fdaed0762b9046a0838623220064080d80269d2a

SHA256
d2edc424bbcc222bf9dbed7c1eed09189e27a224ffde5c185df80d4370978fe9

SHA512
80a60d7284fd7c70131a5ece87920907a2f3d431e67a8d3ffebbdf5bd69cc955344ff983d7a3a62803e60906feac5e8a7c440a14d2a878de9ca2863481551ff8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o3l3gtlm\CSCD86E9E051FD44B2C947D233210DFC82.TMP

Filesize
652B

MD5
0b048168c8eb147cb4d21edd9ec9d461

SHA1
1d86305301f2b91ff724a6f72bb93b4b23e4d973

SHA256
a016d67ad39df52181a358b27cb3bdfd42ded66eea0d2fb4f00686bfe943b5f9

SHA512
887b10707df9721b5bb9c1fac2a076d1fc3eac176235564380660b4db6f1253061e621e0b5356fb22d9a59fbface432d2a0f7c98564a5c0dac2c60d85cd0feca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o3l3gtlm\o3l3gtlm.0.cs

Filesize
1KB

MD5
c32c2c327b1cbd6bc40811906085e443

SHA1
3dd38840e4943f8c8d2e3322c7fe07471ca6efad

SHA256
aae5d17321d66991f73705f6c75048ee4d63b0505a428e59789991ca35865de6

SHA512
36686fbfba241be09de60f7c8eb78aefb94f96831a212e6f2ed5e5b73ea9599b8a55a3097436ea486c063507c49e453e523df4a16305ca28d05a53a4fe7f4c70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o3l3gtlm\o3l3gtlm.cmdline

Filesize
204B

MD5
1b139dc0f1f8bd634fcf62eeb3dddae1

SHA1
adfc37906a680cd57e3cbaa3b0e0e2db01d3440e

SHA256
da5f017f6fe04de6cfa68832ad3c26fcd6cc5dfc459e7535a0da1054fe7592d8

SHA512
87e6bdd4cbd12076adcca44e64f3a0a1ef11a88c295cb28ac69b07e4d6402a7e756305ce367450128a66eef32bcd2a5d9f36a18d30d4f5203ec7dc53b9f1b6b5

Download Submit
memory/2508-0-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x0000000000B60000-0x0000000000C1C000-memory.dmp

Filesize
752KB

Download
memory/2508-7-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2508-15-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/2508-17-0x0000000000410000-0x0000000000438000-memory.dmp

Filesize
160KB

Download
memory/2508-18-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download