884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5 | Triage

Analysis

max time kernel
19s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 04:57

Sharing

Report Analysis Logs

General

Target

884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5.exe
Size

124KB
MD5

3925ae7df3328773be923f74d70555e3
SHA1

948af4614e8ff150fbe0bc38f40806b457acaf3a
SHA256

884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5
SHA512

1eb06c442f6c63d7f5908a57ec57852678820349385e8e77aa0baaa584e6bb2dca59c0e2d4529734f9108e298d245e755202b70461cc1e6402ef37cc7d3d942d

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3904	884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5.exe
3904	884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3904	884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 2340	3904	884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5.exe	27
PID 3904 wrote to memory of 2380	3904	884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5.exe	64
PID 3904 wrote to memory of 2476	3904	884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5.exe	63
PID 3904 wrote to memory of 2416	3904	884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5.exe	58
PID 3904 wrote to memory of 2872	3904	884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5.exe	57
PID 3904 wrote to memory of 3268	3904	884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5.exe	56

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2872

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5.exe
  "C:\Users\Admin\AppData\Local\Temp\884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3904

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2340-130-0x00007FF6DB290000-0x00007FF6DB611000-memory.dmp

Filesize
3.5MB

Download