48abce626c6ac9b357677257b9aadfa987adb2c237d4ccdd9a8b98a60bae45c8 | Triage

Analysis

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
22-04-2022 12:48

Sharing

Report Analysis Logs

General

Target

fichier.exe
Size

127KB
MD5

b66601f980729387a0b71c3203d58a16
SHA1

0cbe635694844b844d0819585c4957ef86395f68
SHA256

48abce626c6ac9b357677257b9aadfa987adb2c237d4ccdd9a8b98a60bae45c8
SHA512

1a94e5b86dc71b4e26866a9c596bdeb3b95fe7f523349a5cdc407258bc50f33afe4939ef3474557c81006fe3a8425dd5693be52eb5bda538e095a113da2ebccb

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3948 created 4912 3948 svchost.exe fichier.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fichier.exe

pid process

4912 fichier.exe
4912 fichier.exe
4912 fichier.exe
4912 fichier.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeTcbPrivilege	3948	svchost.exe
Token: SeTcbPrivilege	3948	svchost.exe
Token: SeBackupPrivilege	3948	svchost.exe
Token: SeRestorePrivilege	3948	svchost.exe
Token: SeBackupPrivilege	3948	svchost.exe
Token: SeRestorePrivilege	3948	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 3948 wrote to memory of 4760	3948	svchost.exe	fichier.exe
PID 3948 wrote to memory of 4760	3948	svchost.exe	fichier.exe
PID 3948 wrote to memory of 4760	3948	svchost.exe	fichier.exe

C:\Users\Admin\AppData\Local\Temp\fichier.exe
"C:\Users\Admin\AppData\Local\Temp\fichier.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4912

C:\Users\Admin\AppData\Local\Temp\fichier.exe
"C:\Users\Admin\AppData\Local\Temp\fichier.exe" /normal.priviledge
2⤵
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4760-130-0x0000000000000000-mapping.dmp

Download