805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f

Analysis

Target

805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.exe
Size

8.3MB
MD5

aedebba95462e9db10b834551e3abc03
SHA1

551c8f9200aa77d9bc94260a516522619016e2b7
SHA256

805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f
SHA512

e3928a34b18385ea8c43598bc13792b3f2d5b3f9cf0a2aa2b0bd0db666ad7e69d6cfdfb4d5dc07f086707156623462ce24432275a6d5bf08669478fe55954980

Score

1^/10

GoLang User-Agent 21 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

whoami.exe

description pid process

Token: SeDebugPrivilege 1012 whoami.exe

description	pid	process
Token: SeDebugPrivilege	1012	whoami.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.execmd.exe

description	pid	process	target process
PID 2792 wrote to memory of 3168	2792	805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.exe	cmd.exe
PID 2792 wrote to memory of 3168	2792	805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.exe	cmd.exe
PID 2792 wrote to memory of 3168	2792	805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.exe	cmd.exe
PID 3168 wrote to memory of 1012	3168	cmd.exe	whoami.exe
PID 3168 wrote to memory of 1012	3168	cmd.exe	whoami.exe
PID 3168 wrote to memory of 1012	3168	cmd.exe	whoami.exe

C:\Users\Admin\AppData\Local\Temp\805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.exe
"C:\Users\Admin\AppData\Local\Temp\805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c whoami
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1012