Analysis
-
max time kernel
104s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-04-2022 12:48
Static task
static1
Behavioral task
behavioral1
Sample
fichier.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fichier.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
fichier.exe
-
Size
127KB
-
MD5
b66601f980729387a0b71c3203d58a16
-
SHA1
0cbe635694844b844d0819585c4957ef86395f68
-
SHA256
48abce626c6ac9b357677257b9aadfa987adb2c237d4ccdd9a8b98a60bae45c8
-
SHA512
1a94e5b86dc71b4e26866a9c596bdeb3b95fe7f523349a5cdc407258bc50f33afe4939ef3474557c81006fe3a8425dd5693be52eb5bda538e095a113da2ebccb
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3948 created 4912 3948 svchost.exe fichier.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
fichier.exepid process 4912 fichier.exe 4912 fichier.exe 4912 fichier.exe 4912 fichier.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 3948 svchost.exe Token: SeTcbPrivilege 3948 svchost.exe Token: SeBackupPrivilege 3948 svchost.exe Token: SeRestorePrivilege 3948 svchost.exe Token: SeBackupPrivilege 3948 svchost.exe Token: SeRestorePrivilege 3948 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
svchost.exedescription pid process target process PID 3948 wrote to memory of 4760 3948 svchost.exe fichier.exe PID 3948 wrote to memory of 4760 3948 svchost.exe fichier.exe PID 3948 wrote to memory of 4760 3948 svchost.exe fichier.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fichier.exe"C:\Users\Admin\AppData\Local\Temp\fichier.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\fichier.exe"C:\Users\Admin\AppData\Local\Temp\fichier.exe" /normal.priviledge2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4760-130-0x0000000000000000-mapping.dmp