149ed212e4cc99a940a98c23e3713c1b91cbd90377ed47dd8fbef0a9d260196c

Analysis

max time kernel
1817s
max time network
1159s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 15:13

Target

MSI Center_1.0.38.0.exe
Size

442.7MB
MD5

e532fe9dd47f907c0703208eb6b25ff6
SHA1

dab73d8130571f993299a0b643325e04c4d12def
SHA256

149ed212e4cc99a940a98c23e3713c1b91cbd90377ed47dd8fbef0a9d260196c
SHA512

ad02b620f5984737f8eadfc148a7f852684fd8e39353100c2b92c460965984565e3e1fc6c5592333b44a9f01cc3e6bd67935f7767678ba7f58599c5b06480ada

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

MSI Center_1.0.38.0.tmp

pid	Process
2168	MSI Center_1.0.38.0.tmp

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
3504	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description	pid	Process
Token: SeDebugPrivilege	3504	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

MSI Center_1.0.38.0.exeMSI Center_1.0.38.0.tmp

description	pid	Process	procid_target
PID 2360 wrote to memory of 2168	2360	MSI Center_1.0.38.0.exe	78
PID 2360 wrote to memory of 2168	2360	MSI Center_1.0.38.0.exe	78
PID 2360 wrote to memory of 2168	2360	MSI Center_1.0.38.0.exe	78
PID 2168 wrote to memory of 3504	2168	MSI Center_1.0.38.0.tmp	79
PID 2168 wrote to memory of 3504	2168	MSI Center_1.0.38.0.tmp	79
PID 2168 wrote to memory of 3504	2168	MSI Center_1.0.38.0.tmp	79

C:\Users\Admin\AppData\Local\Temp\MSI Center_1.0.38.0.exe
"C:\Users\Admin\AppData\Local\Temp\MSI Center_1.0.38.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\is-96D7F.tmp\MSI Center_1.0.38.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-96D7F.tmp\MSI Center_1.0.38.0.tmp" /SL5="$701CA,463670121,140800,C:\Users\Admin\AppData\Local\Temp\MSI Center_1.0.38.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /f /im DCv2.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3504

C:\Users\Admin\AppData\Local\Temp\is-96D7F.tmp\MSI Center_1.0.38.0.tmp

Filesize
1.4MB

MD5
d3c7a070ba8b15d74ab36cbe9ae29f50

SHA1
7e4911f81616d82706320e1063a64882133d1e89

SHA256
7cb2fdf5c9703462e8b6d9c2a1daf6583e6157118b1304b943e86d9529719b02

SHA512
78a936646510514b1a5bb95920103493849bc90e517897754bf1ac8b431e2e2f10f18f3e58e394ba1c95d787ec874b7b6efc27f9900f9d2906ed0cf6f11a2f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-96D7F.tmp\MSI Center_1.0.38.0.tmp

Filesize
1.4MB

MD5
d3c7a070ba8b15d74ab36cbe9ae29f50

SHA1
7e4911f81616d82706320e1063a64882133d1e89

SHA256
7cb2fdf5c9703462e8b6d9c2a1daf6583e6157118b1304b943e86d9529719b02

SHA512
78a936646510514b1a5bb95920103493849bc90e517897754bf1ac8b431e2e2f10f18f3e58e394ba1c95d787ec874b7b6efc27f9900f9d2906ed0cf6f11a2f6f

Download Submit
memory/2168-135-0x0000000000000000-mapping.dmp

Download
memory/2360-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2360-134-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2360-139-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3504-138-0x0000000000000000-mapping.dmp

Download