3d649dfd896254e08e979f74e73dd4d9d46c14c49c10f7682d333a7f7edda072

Analysis

Target

d408a6a1_extracted.exe
Size

150KB
MD5

ab37b2049e98c636ac5beaddae4da748
SHA1

ef849289e463c0b9474646e5f3e5012f86efe57f
SHA256

3d649dfd896254e08e979f74e73dd4d9d46c14c49c10f7682d333a7f7edda072
SHA512

25a3e6f99bc8a6cc03b69847af30f846f8a12acfae6207e6405b68d2ea1e386f5400f38814ac8e0f239b7591a2f2196b1670fbcd9482e3ca8debc09942cd15ff

Score

1^/10

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

64 taskkill.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d408a6a1_extracted.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1788 d408a6a1_extracted.exe
Token: SeDebugPrivilege 64 taskkill.exe

pid	process
64	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1788	d408a6a1_extracted.exe
Token: SeDebugPrivilege	64	taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d408a6a1_extracted.execmd.exe

description	pid	process	target process
PID 1788 wrote to memory of 1268	1788	d408a6a1_extracted.exe	cmd.exe
PID 1788 wrote to memory of 1268	1788	d408a6a1_extracted.exe	cmd.exe
PID 1788 wrote to memory of 1268	1788	d408a6a1_extracted.exe	cmd.exe
PID 1268 wrote to memory of 64	1268	cmd.exe	taskkill.exe
PID 1268 wrote to memory of 64	1268	cmd.exe	taskkill.exe
PID 1268 wrote to memory of 64	1268	cmd.exe	taskkill.exe
PID 1268 wrote to memory of 3184	1268	cmd.exe	choice.exe
PID 1268 wrote to memory of 3184	1268	cmd.exe	choice.exe
PID 1268 wrote to memory of 3184	1268	cmd.exe	choice.exe

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 1788 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\d408a6a1_extracted.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1268

memory/64-12-0x0000000000000000-mapping.dmp

Download
memory/1268-11-0x0000000000000000-mapping.dmp

Download
memory/1788-2-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/1788-3-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1788-5-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/1788-6-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/1788-7-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/1788-8-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/1788-9-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/1788-10-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/3184-13-0x0000000000000000-mapping.dmp

Download