c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c

Analysis

Target

c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe
Size

497KB
MD5

b90c9796b39b6664c55ec18526bde217
SHA1

ad273a63860bc98579e657adfcc323d55c4dda4c
SHA256

c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c
SHA512

0d293b649ee1c86df46923df783b63e187cdafe11e1f0af323c863774938b6e85993682ff2cd084b64152dc45e9d51e7f04375af60ebb67bda03c11491f18dc0

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2304 powershell.exe
2304 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2304 powershell.exe

pid	process
2304	powershell.exe
2304	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2304	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.execmd.exe

description	pid	process	target process
PID 4776 wrote to memory of 3108	4776	c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe	cmd.exe
PID 4776 wrote to memory of 3108	4776	c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe	cmd.exe
PID 4776 wrote to memory of 3108	4776	c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe	cmd.exe
PID 3108 wrote to memory of 2304	3108	cmd.exe	powershell.exe
PID 3108 wrote to memory of 2304	3108	cmd.exe	powershell.exe
PID 3108 wrote to memory of 2304	3108	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe
"C:\Users\Admin\AppData\Local\Temp\c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3108

memory/2304-142-0x00000000076F0000-0x0000000007D6A000-memory.dmp

Filesize
6.5MB

Download
memory/2304-136-0x0000000000000000-mapping.dmp

Download
memory/2304-144-0x0000000007110000-0x00000000071A6000-memory.dmp

Filesize
600KB

Download
memory/2304-145-0x00000000070A0000-0x00000000070C2000-memory.dmp

Filesize
136KB

Download
memory/2304-138-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/2304-143-0x0000000006600000-0x000000000661A000-memory.dmp

Filesize
104KB

Download
memory/2304-141-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/2304-137-0x00000000027D0000-0x0000000002806000-memory.dmp

Filesize
216KB

Download
memory/2304-140-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/2304-139-0x0000000005230000-0x0000000005252000-memory.dmp

Filesize
136KB

Download
memory/3108-135-0x0000000000000000-mapping.dmp

Download
memory/4776-134-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/4776-131-0x0000000004C40000-0x0000000004CA6000-memory.dmp

Filesize
408KB

Download
memory/4776-130-0x0000000000170000-0x00000000001F2000-memory.dmp

Filesize
520KB

Download
memory/4776-133-0x0000000004E50000-0x0000000004EEC000-memory.dmp

Filesize
624KB

Download
memory/4776-132-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download