0e9a9cde396cf2e4fd9f8b265661a9f9b794000f7f7bb42093df4ab5a25f3d96

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpn_lplll3.exe
Size

116KB
MD5

573c0e68dd70ab65a138d159c5e55c7b
SHA1

b7a1e3c11184bcee033bf5544c7754efaded98bd
SHA256

0e9a9cde396cf2e4fd9f8b265661a9f9b794000f7f7bb42093df4ab5a25f3d96
SHA512

c411cdd2161ee392cb7e298fdfc324e16930550d5532ddc688190c625d5264141bb82004375fd4e42264d7f03013fe3671e05cf71a46596c800503b15af7d43b
SSDEEP

1536:wR4qLqpobtTJCd17sVk000ipaGESp6FbmD3aAS2gpqBW9INcLc0cmwnt4AzD:NpaxJC/7EjRSp6JAS2gpqBWLdaf

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe
2876	tmpn_lplll3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	tmpn_lplll3.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2616	2876	tmpn_lplll3.exe	30
PID 2876 wrote to memory of 2616	2876	tmpn_lplll3.exe	30
PID 2876 wrote to memory of 2616	2876	tmpn_lplll3.exe	30
PID 2876 wrote to memory of 2616	2876	tmpn_lplll3.exe	30
PID 2876 wrote to memory of 2632	2876	tmpn_lplll3.exe	31
PID 2876 wrote to memory of 2632	2876	tmpn_lplll3.exe	31
PID 2876 wrote to memory of 2632	2876	tmpn_lplll3.exe	31
PID 2876 wrote to memory of 2632	2876	tmpn_lplll3.exe	31
PID 2876 wrote to memory of 2668	2876	tmpn_lplll3.exe	32
PID 2876 wrote to memory of 2668	2876	tmpn_lplll3.exe	32
PID 2876 wrote to memory of 2668	2876	tmpn_lplll3.exe	32
PID 2876 wrote to memory of 2668	2876	tmpn_lplll3.exe	32
PID 2876 wrote to memory of 2676	2876	tmpn_lplll3.exe	33
PID 2876 wrote to memory of 2676	2876	tmpn_lplll3.exe	33
PID 2876 wrote to memory of 2676	2876	tmpn_lplll3.exe	33
PID 2876 wrote to memory of 2676	2876	tmpn_lplll3.exe	33
PID 2876 wrote to memory of 2040	2876	tmpn_lplll3.exe	34
PID 2876 wrote to memory of 2040	2876	tmpn_lplll3.exe	34
PID 2876 wrote to memory of 2040	2876	tmpn_lplll3.exe	34
PID 2876 wrote to memory of 2040	2876	tmpn_lplll3.exe	34
PID 2876 wrote to memory of 2264	2876	tmpn_lplll3.exe	35
PID 2876 wrote to memory of 2264	2876	tmpn_lplll3.exe	35
PID 2876 wrote to memory of 2264	2876	tmpn_lplll3.exe	35
PID 2876 wrote to memory of 2264	2876	tmpn_lplll3.exe	35
PID 2876 wrote to memory of 2112	2876	tmpn_lplll3.exe	36
PID 2876 wrote to memory of 2112	2876	tmpn_lplll3.exe	36
PID 2876 wrote to memory of 2112	2876	tmpn_lplll3.exe	36
PID 2876 wrote to memory of 2112	2876	tmpn_lplll3.exe	36
PID 2876 wrote to memory of 2652	2876	tmpn_lplll3.exe	37
PID 2876 wrote to memory of 2652	2876	tmpn_lplll3.exe	37
PID 2876 wrote to memory of 2652	2876	tmpn_lplll3.exe	37
PID 2876 wrote to memory of 2652	2876	tmpn_lplll3.exe	37
PID 2876 wrote to memory of 2216	2876	tmpn_lplll3.exe	38
PID 2876 wrote to memory of 2216	2876	tmpn_lplll3.exe	38
PID 2876 wrote to memory of 2216	2876	tmpn_lplll3.exe	38
PID 2876 wrote to memory of 2216	2876	tmpn_lplll3.exe	38
PID 2876 wrote to memory of 2076	2876	tmpn_lplll3.exe	39
PID 2876 wrote to memory of 2076	2876	tmpn_lplll3.exe	39
PID 2876 wrote to memory of 2076	2876	tmpn_lplll3.exe	39
PID 2876 wrote to memory of 2076	2876	tmpn_lplll3.exe	39
PID 2876 wrote to memory of 2644	2876	tmpn_lplll3.exe	40
PID 2876 wrote to memory of 2644	2876	tmpn_lplll3.exe	40
PID 2876 wrote to memory of 2644	2876	tmpn_lplll3.exe	40

C:\Users\Admin\AppData\Local\Temp\tmpn_lplll3.exe
"C:\Users\Admin\AppData\Local\Temp\tmpn_lplll3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2076
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2876 -s 1800
  2⤵
  PID:2644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2876-0-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

Filesize
4KB

Download
memory/2876-1-0x0000000001080000-0x00000000010A2000-memory.dmp

Filesize
136KB

Download
memory/2876-18-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/2876-20-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

Filesize
4KB

Download