5dd60a5a2e5f074435cb438d3e229d1a3c4e4ef35c9c886a356b52aeb83265cd | Triage

Analysis

max time kernel
8s
max time network
9s
platform
windows7_x64
resource
win7v20201028
submitted
13-01-2021 14:24

Sharing

Report Analysis Logs

General

Target

file.exe
Size

216KB
MD5

2e1fcfb191508fc51320313d059bd30d
SHA1

18254fc83a340ca9562844542425ed7f995bff4a
SHA256

5dd60a5a2e5f074435cb438d3e229d1a3c4e4ef35c9c886a356b52aeb83265cd
SHA512

3c441d1ce951aa84af2a179372445aa89a10780e51742b3d77679cd831735416040c5dfe52b1644c6b71d885a80add0264310aba9a40fed9679bee69c5f497fd

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

file.exe

pid process

848 file.exe
848 file.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 848 file.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

file.exe

description	pid	process	target process
PID 848 wrote to memory of 1448	848	file.exe	dw20.exe
PID 848 wrote to memory of 1448	848	file.exe	dw20.exe
PID 848 wrote to memory of 1448	848	file.exe	dw20.exe
PID 848 wrote to memory of 1448	848	file.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 516
2⤵
PID:1448

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1448-2-0x0000000000000000-mapping.dmp

Download
memory/1448-3-0x0000000001EC0000-0x0000000001ED1000-memory.dmp

Filesize
68KB

Download