Analysis
-
max time kernel
152s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 17:42
Behavioral task
behavioral1
Sample
4e694e6ec7079b1259abce8bcd4b7da0151a941eb6e1aac684d13e351492b9cd.exe
Resource
win7-20220718-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
4e694e6ec7079b1259abce8bcd4b7da0151a941eb6e1aac684d13e351492b9cd.exe
Resource
win10v2004-20220718-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
4e694e6ec7079b1259abce8bcd4b7da0151a941eb6e1aac684d13e351492b9cd.exe
-
Size
17KB
-
MD5
97b17a58d9327c58363e3ed885ca1435
-
SHA1
fb03ccaac36a0994a5ef44906f5ae3615e500ebb
-
SHA256
4e694e6ec7079b1259abce8bcd4b7da0151a941eb6e1aac684d13e351492b9cd
-
SHA512
0e27bd8dfaa7f0d5244c7a5931e31484d194ec780a511609b5d7406d35ed76c7a6fa772b29d01fea2d26887603cc1dc6b16e60b30b9b5d12219dd6c11bf627be
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1324 powershell.exe 1324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4e694e6ec7079b1259abce8bcd4b7da0151a941eb6e1aac684d13e351492b9cd.exepowershell.exedescription pid process Token: SeDebugPrivilege 1176 4e694e6ec7079b1259abce8bcd4b7da0151a941eb6e1aac684d13e351492b9cd.exe Token: SeDebugPrivilege 1324 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
4e694e6ec7079b1259abce8bcd4b7da0151a941eb6e1aac684d13e351492b9cd.exedescription pid process target process PID 1176 wrote to memory of 1324 1176 4e694e6ec7079b1259abce8bcd4b7da0151a941eb6e1aac684d13e351492b9cd.exe powershell.exe PID 1176 wrote to memory of 1324 1176 4e694e6ec7079b1259abce8bcd4b7da0151a941eb6e1aac684d13e351492b9cd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e694e6ec7079b1259abce8bcd4b7da0151a941eb6e1aac684d13e351492b9cd.exe"C:\Users\Admin\AppData\Local\Temp\4e694e6ec7079b1259abce8bcd4b7da0151a941eb6e1aac684d13e351492b9cd.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Hello World!','Hello!',0,64)2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1176-130-0x00007FF812830000-0x00007FF813266000-memory.dmpFilesize
10.2MB
-
memory/1324-131-0x0000000000000000-mapping.dmp
-
memory/1324-132-0x0000029D4AEF0000-0x0000029D4AF12000-memory.dmpFilesize
136KB
-
memory/1324-133-0x00007FF811D60000-0x00007FF812821000-memory.dmpFilesize
10.8MB
-
memory/1324-134-0x00007FF811D60000-0x00007FF812821000-memory.dmpFilesize
10.8MB