46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

Analysis

max time kernel
148s
max time network
81s
platform
windows10_x64
resource
win10v200722
submitted
11-08-2020 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foo/0044d66e4abf7c4af6b5d207065320f7.exe

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0044d66e4abf7c4af6b5d207065320f7.exe

pid	process
2080	0044d66e4abf7c4af6b5d207065320f7.exe
2080	0044d66e4abf7c4af6b5d207065320f7.exe
2080	0044d66e4abf7c4af6b5d207065320f7.exe
2080	0044d66e4abf7c4af6b5d207065320f7.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0044d66e4abf7c4af6b5d207065320f7.exe

description	pid	process
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2080	0044d66e4abf7c4af6b5d207065320f7.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

0044d66e4abf7c4af6b5d207065320f7.exe

description	pid	process	target process
PID 2080 wrote to memory of 3060	2080	0044d66e4abf7c4af6b5d207065320f7.exe	Explorer.EXE
PID 2080 wrote to memory of 564	2080	0044d66e4abf7c4af6b5d207065320f7.exe	winlogon.exe
PID 2080 wrote to memory of 632	2080	0044d66e4abf7c4af6b5d207065320f7.exe	lsass.exe
PID 2080 wrote to memory of 712	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 736	2080	0044d66e4abf7c4af6b5d207065320f7.exe	fontdrvhost.exe
PID 2080 wrote to memory of 744	2080	0044d66e4abf7c4af6b5d207065320f7.exe	fontdrvhost.exe
PID 2080 wrote to memory of 756	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 840	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 892	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 980	2080	0044d66e4abf7c4af6b5d207065320f7.exe	dwm.exe
PID 2080 wrote to memory of 352	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 432	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 592	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 888	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 388	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1096	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1152	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1208	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1216	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1320	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1328	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1396	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1432	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1468	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1480	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1552	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1592	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1660	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1668	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1688	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1804	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1812	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1840	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2020	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 1504	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2100	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2216	2080	0044d66e4abf7c4af6b5d207065320f7.exe	AUDIODG.EXE
PID 2080 wrote to memory of 2288	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2312	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2324	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2356	2080	0044d66e4abf7c4af6b5d207065320f7.exe	sihost.exe
PID 2080 wrote to memory of 2416	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2492	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2500	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2524	2080	0044d66e4abf7c4af6b5d207065320f7.exe	OfficeClickToRun.exe
PID 2080 wrote to memory of 2552	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2560	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2564	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2680	2080	0044d66e4abf7c4af6b5d207065320f7.exe	taskhostw.exe
PID 2080 wrote to memory of 3060	2080	0044d66e4abf7c4af6b5d207065320f7.exe	Explorer.EXE
PID 2080 wrote to memory of 3196	2080	0044d66e4abf7c4af6b5d207065320f7.exe	ShellExperienceHost.exe
PID 2080 wrote to memory of 3204	2080	0044d66e4abf7c4af6b5d207065320f7.exe	SearchUI.exe
PID 2080 wrote to memory of 3424	2080	0044d66e4abf7c4af6b5d207065320f7.exe	RuntimeBroker.exe
PID 2080 wrote to memory of 3676	2080	0044d66e4abf7c4af6b5d207065320f7.exe	DllHost.exe
PID 2080 wrote to memory of 4056	2080	0044d66e4abf7c4af6b5d207065320f7.exe	DllHost.exe
PID 2080 wrote to memory of 3316	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 2860	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe
PID 2080 wrote to memory of 812	2080	0044d66e4abf7c4af6b5d207065320f7.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:564
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:736
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:980

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:712

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:756
- C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
  "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
  2⤵
  PID:3196
- C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
  2⤵
  PID:3204
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3424
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3676
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4056

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:840

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:892

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:888

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:388
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1152

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1208

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1320
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1552
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x3d8
  2⤵
  PID:2216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1688

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1804

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1812

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1840

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2020

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s WinHttpAutoProxySvc
1⤵
PID:1504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2288

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2324

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2500

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2564

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3060
- C:\Users\Admin\AppData\Local\Temp\foo\0044d66e4abf7c4af6b5d207065320f7.exe
  "C:\Users\Admin\AppData\Local\Temp\foo\0044d66e4abf7c4af6b5d207065320f7.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:3316

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:2860

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2080-0-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download