Analysis
-
max time kernel
7s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 14:18
Static task
static1
Behavioral task
behavioral1
Sample
de3eafb5fa64237cb2d54949c432f19c.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
de3eafb5fa64237cb2d54949c432f19c.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
de3eafb5fa64237cb2d54949c432f19c.exe
-
Size
2.0MB
-
MD5
de3eafb5fa64237cb2d54949c432f19c
-
SHA1
bbb3d8d70e1416241b469c3f58596986957ac39d
-
SHA256
93d2edbc498f6f8689223bcb079143a97627efe9c1f7b23687a94a1eaf223d78
-
SHA512
e01e963313fdede9144ddd4133a2f101177659902d821c994527ab4db627d5ce56e2e34d8c818b4bcbebe2fdfe74e9f0d15b715afa5df89ecfbe8eb73427b0c6
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
de3eafb5fa64237cb2d54949c432f19c.exede3eafb5fa64237cb2d54949c432f19c.exedescription pid process Token: SeLoadDriverPrivilege 4692 de3eafb5fa64237cb2d54949c432f19c.exe Token: SeLoadDriverPrivilege 4692 de3eafb5fa64237cb2d54949c432f19c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
de3eafb5fa64237cb2d54949c432f19c.exede3eafb5fa64237cb2d54949c432f19c.exedescription pid process target process PID 4692 wrote to memory of 1216 4692 de3eafb5fa64237cb2d54949c432f19c.exe cmd.exe PID 4692 wrote to memory of 1216 4692 de3eafb5fa64237cb2d54949c432f19c.exe cmd.exe PID 4692 wrote to memory of 1216 4692 de3eafb5fa64237cb2d54949c432f19c.exe cmd.exe PID 4692 wrote to memory of 1216 4692 de3eafb5fa64237cb2d54949c432f19c.exe cmd.exe PID 4692 wrote to memory of 1216 4692 de3eafb5fa64237cb2d54949c432f19c.exe cmd.exe PID 4692 wrote to memory of 1216 4692 de3eafb5fa64237cb2d54949c432f19c.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de3eafb5fa64237cb2d54949c432f19c.exe"C:\Users\Admin\AppData\Local\Temp\de3eafb5fa64237cb2d54949c432f19c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c md C:\DownLoad-Helper2⤵
-
C:\Users\Admin\AppData\Local\Temp\de3eafb5fa64237cb2d54949c432f19c.exe"C:\Users\Admin\AppData\Local\Temp\de3eafb5fa64237cb2d54949c432f19c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c md C:\DownLoad-Helper2⤵