2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8 | Triage

Analysis

max time kernel
48s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 08:54

Sharing

Report Analysis Logs

General

Target

2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe
Size

206KB
MD5

ed0179b4230a413fa1d9d042f6d413df
SHA1

4d9e43a06730e174693e93f4ad6cb0a69ad05452
SHA256

2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8
SHA512

878ab62f10d7e7d0a4493141232ab65420e48868696d2226db49aa94bb6559365c8058cd5d99188f27a5a655e9a5e0fa6cae4cf04daa54e2e09c8ea67abeeb1b

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2380	2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe
2380	2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe
2380	2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe
2380	2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2340	2380	2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe	60
PID 2380 wrote to memory of 2356	2380	2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe	59
PID 2380 wrote to memory of 2432	2380	2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe	58
PID 2380 wrote to memory of 2800	2380	2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe	47
PID 2380 wrote to memory of 3252	2380	2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe	46

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2800

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2356

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe
"C:\Users\Admin\AppData\Local\Temp\2d70e74d6f3d8d6146e8f0c70ae3e3d35b7964d95b295339e6c2914cc09afdc8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2340-130-0x00007FF79E9C0000-0x00007FF79ED57000-memory.dmp

Filesize
3.6MB

Download
memory/2356-131-0x00007FF79E9C0000-0x00007FF79ED57000-memory.dmp

Filesize
3.6MB

Download