e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470

General

Target

e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe
Size

5.5MB
MD5

dbe95482a73c63d5b3d1d16aa3ad8f21
SHA1

4bba60ff11f8b150b004960c658ad74a707ebcea
SHA256

e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470
SHA512

2f6795a956873a35cc14949f707b51438579fd08cc02e05b17e69628b20d9207863bbc443b670464cbe052a620ecc7bb350e53d9cde5cabbeb266eea049cc3ed

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1928	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\netkmssg.dll	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
284	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
576	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 1928	1276	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	27
PID 1276 wrote to memory of 1928	1276	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	27
PID 1276 wrote to memory of 1928	1276	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	27
PID 1276 wrote to memory of 1928	1276	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	27
PID 1276 wrote to memory of 1656	1276	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	28
PID 1276 wrote to memory of 1656	1276	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	28
PID 1276 wrote to memory of 1656	1276	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	28
PID 1276 wrote to memory of 1656	1276	e6d65e21a5b9e73a5626a2fdc9dbdd3f9ffad1f1d56f9bcd62455f6391e8b470.exe	28
PID 1656 wrote to memory of 576	1656	cmd.exe	32
PID 1656 wrote to memory of 576	1656	cmd.exe	32
PID 1656 wrote to memory of 576	1656	cmd.exe	32
PID 1656 wrote to memory of 576	1656	cmd.exe	32
PID 1928 wrote to memory of 284	1928	cmd.exe	31
PID 1928 wrote to memory of 284	1928	cmd.exe	31
PID 1928 wrote to memory of 284	1928	cmd.exe	31
PID 1928 wrote to memory of 284	1928	cmd.exe	31

memory/576-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/576-57-0x0000000002500000-0x000000000314A000-memory.dmp

Filesize
12.3MB

Download
memory/576-58-0x0000000002500000-0x000000000314A000-memory.dmp

Filesize
12.3MB

Download