a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 01:36

Target

a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe
Size

25KB
MD5

69c4d8353b96fba43deed513eb781f93
SHA1

4b3c0f5c96e6e5ee1aa49687d8b2e19b2f19c59d
SHA256

a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668
SHA512

84427ed6c0bfa0240374aa8f772bc456704336186823416078a0bc58ca1d520fb47e4796f9ab80433e247f27262cc4113c91aed6d982f28cec5a7be31940f202
SSDEEP

384:u+m5kNVZXha/HJveCAqnnzgbJWQZjlkr6aeNQ3wdRl3b8Zs2JO6CmL+m2/W2ig2F:6yNgpvVgNKrd36RlraOfmRgAQ9q

Score

1^/10

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1520	a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe
1520	a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe
1520	a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe
1520	a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe
1520	a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1520	a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe
1520	a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1780	1520	a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe	28
PID 1520 wrote to memory of 1780	1520	a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe	28
PID 1520 wrote to memory of 1780	1520	a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe	28
PID 1520 wrote to memory of 1780	1520	a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe	28

C:\Users\Admin\AppData\Local\Temp\a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe
"C:\Users\Admin\AppData\Local\Temp\a17a1e3d36d43635824f1e95c2da7e0ed48e4a6fc1d27c5c00aee20790827668.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\syswow64\svchost.exe
  C:\Windows\syswow64\svchost.exe
  2⤵
  PID:1780

memory/1520-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1520-55-0x0000000001EA0000-0x0000000002EA0000-memory.dmp

Filesize
16.0MB

Download
memory/1780-56-0x0000000000000000-mapping.dmp

Download
memory/1780-58-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download
memory/1780-59-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download