c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c

Analysis

Target

c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe
Size

497KB
MD5

b90c9796b39b6664c55ec18526bde217
SHA1

ad273a63860bc98579e657adfcc323d55c4dda4c
SHA256

c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c
SHA512

0d293b649ee1c86df46923df783b63e187cdafe11e1f0af323c863774938b6e85993682ff2cd084b64152dc45e9d51e7f04375af60ebb67bda03c11491f18dc0

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2304	powershell.exe
2304	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 3108	4776	c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe	82
PID 4776 wrote to memory of 3108	4776	c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe	82
PID 4776 wrote to memory of 3108	4776	c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe	82
PID 3108 wrote to memory of 2304	3108	cmd.exe	83
PID 3108 wrote to memory of 2304	3108	cmd.exe	83
PID 3108 wrote to memory of 2304	3108	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe
"C:\Users\Admin\AppData\Local\Temp\c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\c87fa3ba0611689621a7c868d32f9d0bb1e5d557727639b72fc8804f834a3c6c.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2304

memory/2304-142-0x00000000076F0000-0x0000000007D6A000-memory.dmp

Filesize
6.5MB

Download
memory/2304-144-0x0000000007110000-0x00000000071A6000-memory.dmp

Filesize
600KB

Download
memory/2304-145-0x00000000070A0000-0x00000000070C2000-memory.dmp

Filesize
136KB

Download
memory/2304-138-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/2304-143-0x0000000006600000-0x000000000661A000-memory.dmp

Filesize
104KB

Download
memory/2304-141-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/2304-137-0x00000000027D0000-0x0000000002806000-memory.dmp

Filesize
216KB

Download
memory/2304-140-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/2304-139-0x0000000005230000-0x0000000005252000-memory.dmp

Filesize
136KB

Download
memory/4776-134-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/4776-131-0x0000000004C40000-0x0000000004CA6000-memory.dmp

Filesize
408KB

Download
memory/4776-130-0x0000000000170000-0x00000000001F2000-memory.dmp

Filesize
520KB

Download
memory/4776-133-0x0000000004E50000-0x0000000004EEC000-memory.dmp

Filesize
624KB

Download
memory/4776-132-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download