844f97490d18394f1ded6f22c04c9cbdcc9a07ec9c82fadc96e9566c13d74e0d

Analysis

max time kernel
51s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
31-08-2022 12:39

Target

Revised Order.exe
Size

719KB
MD5

b08e56476b8ff662883f5774c842c94b
SHA1

4d4f8efd50e314753ce3196d843de956cf0db10a
SHA256

6566cde4ba73cc0316c3de8c2c23c90aa6f76bd4d824d45b5b5c1d23d2655d16
SHA512

10b6fb1979044f7e34242943a8e0a85358feeb5df942542afd6d4e519ab19ee1be10fe6bc283009b2c5242f83f45c5897a11da69ae3cd98c7856997caa553df7
SSDEEP

12288:KHSLWwbdVvpc++Zg/2PRmn0DYp3RbXpNkWXKavjkAH4l3iIlhQNXSmNy:cSLWeJpSZgdu8RNCWXKM0iIlgXO

Score

1^/10

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	Revised Order.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1244	1708	Revised Order.exe	27
PID 1708 wrote to memory of 1244	1708	Revised Order.exe	27
PID 1708 wrote to memory of 1244	1708	Revised Order.exe	27
PID 1708 wrote to memory of 1244	1708	Revised Order.exe	27
PID 1708 wrote to memory of 1380	1708	Revised Order.exe	28
PID 1708 wrote to memory of 1380	1708	Revised Order.exe	28
PID 1708 wrote to memory of 1380	1708	Revised Order.exe	28
PID 1708 wrote to memory of 1380	1708	Revised Order.exe	28
PID 1708 wrote to memory of 1668	1708	Revised Order.exe	31
PID 1708 wrote to memory of 1668	1708	Revised Order.exe	31
PID 1708 wrote to memory of 1668	1708	Revised Order.exe	31
PID 1708 wrote to memory of 1668	1708	Revised Order.exe	31
PID 1708 wrote to memory of 1260	1708	Revised Order.exe	30
PID 1708 wrote to memory of 1260	1708	Revised Order.exe	30
PID 1708 wrote to memory of 1260	1708	Revised Order.exe	30
PID 1708 wrote to memory of 1260	1708	Revised Order.exe	30
PID 1708 wrote to memory of 1304	1708	Revised Order.exe	29
PID 1708 wrote to memory of 1304	1708	Revised Order.exe	29
PID 1708 wrote to memory of 1304	1708	Revised Order.exe	29
PID 1708 wrote to memory of 1304	1708	Revised Order.exe	29

C:\Users\Admin\AppData\Local\Temp\Revised Order.exe
"C:\Users\Admin\AppData\Local\Temp\Revised Order.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\Revised Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Revised Order.exe"
  2⤵
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\Revised Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Revised Order.exe"
  2⤵
  PID:1380
- C:\Users\Admin\AppData\Local\Temp\Revised Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Revised Order.exe"
  2⤵
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\Revised Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Revised Order.exe"
  2⤵
  PID:1260
- C:\Users\Admin\AppData\Local\Temp\Revised Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Revised Order.exe"
  2⤵
  PID:1668

memory/1708-54-0x00000000003E0000-0x000000000049A000-memory.dmp

Filesize
744KB

Download
memory/1708-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1708-56-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/1708-57-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/1708-58-0x0000000005EE0000-0x0000000005F48000-memory.dmp

Filesize
416KB

Download
memory/1708-59-0x0000000004C10000-0x0000000004C3C000-memory.dmp

Filesize
176KB

Download