Analysis
-
max time kernel
9s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
05/02/2022, 12:56
Static task
static1
Behavioral task
behavioral1
Sample
8f248aedd40f747cab9b5013ebbf9db0953c4e5b8283d32328ba260aebc383a6.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
8f248aedd40f747cab9b5013ebbf9db0953c4e5b8283d32328ba260aebc383a6.exe
Resource
win10v2004-en-20220113
0 signatures
0 seconds
General
-
Target
8f248aedd40f747cab9b5013ebbf9db0953c4e5b8283d32328ba260aebc383a6.exe
-
Size
364KB
-
MD5
5bf201f9110a3fa61519d57ffbc651df
-
SHA1
602ff9ae73c2b218dce517d4ac09cb6f3c64c3a3
-
SHA256
8f248aedd40f747cab9b5013ebbf9db0953c4e5b8283d32328ba260aebc383a6
-
SHA512
ef26093bd9aa628fd5770b14f85645028dca93d51ad235d8080493d1e8ee7fceb46fae9475af5b09fec391e225bdadd110711acf315870c620ddca520ce23280
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 4708 svchost.exe Token: SeCreatePagefilePrivilege 4708 svchost.exe Token: SeShutdownPrivilege 4708 svchost.exe Token: SeCreatePagefilePrivilege 4708 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f248aedd40f747cab9b5013ebbf9db0953c4e5b8283d32328ba260aebc383a6.exe"C:\Users\Admin\AppData\Local\Temp\8f248aedd40f747cab9b5013ebbf9db0953c4e5b8283d32328ba260aebc383a6.exe"1⤵PID:448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4708