13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6 | Triage

Analysis

max time kernel
30s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 10:02

Sharing

Report Analysis Logs

General

Target

13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe
Size

153KB
MD5

71d5ee75766497e2c37b20503cf02f53
SHA1

d78c955173c447cb79fb559de122563d90d5358d
SHA256

13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6
SHA512

c365d9dd353a326814dce42cbbaf7c159b605725365dd99efcd3870ff2af31d908bc534a43e2c3c8849808736183f9bb2fbd83785bc3e42123e5847004a5f6eb

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3700	13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe
3700	13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3700	13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 2280	3700	13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe	48
PID 3700 wrote to memory of 2312	3700	13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe	12
PID 3700 wrote to memory of 2432	3700	13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe	47
PID 3700 wrote to memory of 744	3700	13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe	18
PID 3700 wrote to memory of 3252	3700	13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe	17

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2312

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:744

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2432

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe
"C:\Users\Admin\AppData\Local\Temp\13a1fbb9c303f2789f2d2d55e6b915f4d731b70f0ea6b4453364cd65f9cfa8d6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2280-130-0x00007FF7BB6E0000-0x00007FF7BBA6A000-memory.dmp

Filesize
3.5MB

Download
memory/2312-131-0x00007FF7BB6E0000-0x00007FF7BBA6A000-memory.dmp

Filesize
3.5MB

Download