b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5

General

Target

b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe
Size

112KB
MD5

b9b5f5039c19f15ca610baa095642f8a
SHA1

6464f52a47c362195a219bd5cf529338bf29a5c9
SHA256

b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5
SHA512

5c62f2e948609d2481f2fd77bcee5f9a5fb93b8997ea7753c67554c3cd5c20d005b4170d498522aedd83b6c281edc8f8a60cffa75333cedc97fb06fe7451b697

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1088	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
792	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
564	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1088	1668	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	27
PID 1668 wrote to memory of 1088	1668	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	27
PID 1668 wrote to memory of 1088	1668	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	27
PID 1668 wrote to memory of 1088	1668	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	27
PID 1668 wrote to memory of 748	1668	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	28
PID 1668 wrote to memory of 748	1668	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	28
PID 1668 wrote to memory of 748	1668	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	28
PID 1668 wrote to memory of 748	1668	b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe	28
PID 1088 wrote to memory of 792	1088	cmd.exe	31
PID 1088 wrote to memory of 792	1088	cmd.exe	31
PID 1088 wrote to memory of 792	1088	cmd.exe	31
PID 1088 wrote to memory of 792	1088	cmd.exe	31
PID 748 wrote to memory of 564	748	cmd.exe	32
PID 748 wrote to memory of 564	748	cmd.exe	32
PID 748 wrote to memory of 564	748	cmd.exe	32
PID 748 wrote to memory of 564	748	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe
"C:\Users\Admin\AppData\Local\Temp\b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C PowerShell "Start-Sleep 5; Remove-Item C:\Users\Admin\AppData\Local\Temp\b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Start-Sleep 5; Remove-Item C:\Users\Admin\AppData\Local\Temp\b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:564

memory/564-55-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download
memory/564-56-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download
memory/564-57-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download
memory/564-58-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download