3d649dfd896254e08e979f74e73dd4d9d46c14c49c10f7682d333a7f7edda072

Analysis

Target

d408a6a1_extracted.exe
Size

150KB
MD5

ab37b2049e98c636ac5beaddae4da748
SHA1

ef849289e463c0b9474646e5f3e5012f86efe57f
SHA256

3d649dfd896254e08e979f74e73dd4d9d46c14c49c10f7682d333a7f7edda072
SHA512

25a3e6f99bc8a6cc03b69847af30f846f8a12acfae6207e6405b68d2ea1e386f5400f38814ac8e0f239b7591a2f2196b1670fbcd9482e3ca8debc09942cd15ff

Score

1^/10

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1088 taskkill.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d408a6a1_extracted.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1932 d408a6a1_extracted.exe
Token: SeDebugPrivilege 1088 taskkill.exe

pid	process
1088	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1932	d408a6a1_extracted.exe
Token: SeDebugPrivilege	1088	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d408a6a1_extracted.execmd.exe

description	pid	process	target process
PID 1932 wrote to memory of 460	1932	d408a6a1_extracted.exe	cmd.exe
PID 1932 wrote to memory of 460	1932	d408a6a1_extracted.exe	cmd.exe
PID 1932 wrote to memory of 460	1932	d408a6a1_extracted.exe	cmd.exe
PID 1932 wrote to memory of 460	1932	d408a6a1_extracted.exe	cmd.exe
PID 460 wrote to memory of 1088	460	cmd.exe	taskkill.exe
PID 460 wrote to memory of 1088	460	cmd.exe	taskkill.exe
PID 460 wrote to memory of 1088	460	cmd.exe	taskkill.exe
PID 460 wrote to memory of 1088	460	cmd.exe	taskkill.exe
PID 460 wrote to memory of 1124	460	cmd.exe	choice.exe
PID 460 wrote to memory of 1124	460	cmd.exe	choice.exe
PID 460 wrote to memory of 1124	460	cmd.exe	choice.exe
PID 460 wrote to memory of 1124	460	cmd.exe	choice.exe

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 1932 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\d408a6a1_extracted.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:460

memory/460-7-0x0000000000000000-mapping.dmp

Download
memory/1088-8-0x0000000000000000-mapping.dmp

Download
memory/1124-9-0x0000000000000000-mapping.dmp

Download
memory/1932-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1932-3-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1932-5-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1932-6-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download