72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123

Analysis

max time kernel
37s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
Size

51KB
MD5

6aee72d9fe37d2806a47754bd6b7ae20
SHA1

690f906309fb5c97fcf6654bbed48b90802c9c99
SHA256

72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123
SHA512

5cb6e7a1ce3be821dbac99750381497695704234847e8c2544a55c9acf88daa38d7279dbd202b334d146ca5087bb3a45ff09f597dcd8471498a55f1bded25210
SSDEEP

768:PyglgWI4DtKWfT4xCxDLn8LNj+VGjg4xzOmcwcZ0IAy9AjMraqKcVgTg:qglljtK9CxDLoR+eFT2hAyegaPcVg

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 368	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	5
PID 2008 wrote to memory of 368	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	5
PID 2008 wrote to memory of 368	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	5
PID 2008 wrote to memory of 368	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	5
PID 2008 wrote to memory of 368	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	5
PID 2008 wrote to memory of 368	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	5
PID 2008 wrote to memory of 368	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	5
PID 2008 wrote to memory of 380	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	4
PID 2008 wrote to memory of 380	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	4
PID 2008 wrote to memory of 380	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	4
PID 2008 wrote to memory of 380	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	4
PID 2008 wrote to memory of 380	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	4
PID 2008 wrote to memory of 380	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	4
PID 2008 wrote to memory of 380	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	4
PID 2008 wrote to memory of 416	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	3
PID 2008 wrote to memory of 416	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	3
PID 2008 wrote to memory of 416	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	3
PID 2008 wrote to memory of 416	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	3
PID 2008 wrote to memory of 416	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	3
PID 2008 wrote to memory of 416	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	3
PID 2008 wrote to memory of 416	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	3
PID 2008 wrote to memory of 460	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	2
PID 2008 wrote to memory of 460	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	2
PID 2008 wrote to memory of 460	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	2
PID 2008 wrote to memory of 460	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	2
PID 2008 wrote to memory of 460	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	2
PID 2008 wrote to memory of 460	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	2
PID 2008 wrote to memory of 460	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	2
PID 2008 wrote to memory of 480	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	1
PID 2008 wrote to memory of 480	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	1
PID 2008 wrote to memory of 480	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	1
PID 2008 wrote to memory of 480	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	1
PID 2008 wrote to memory of 480	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	1
PID 2008 wrote to memory of 480	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	1
PID 2008 wrote to memory of 480	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	1
PID 2008 wrote to memory of 488	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	25
PID 2008 wrote to memory of 488	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	25
PID 2008 wrote to memory of 488	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	25
PID 2008 wrote to memory of 488	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	25
PID 2008 wrote to memory of 488	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	25
PID 2008 wrote to memory of 488	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	25
PID 2008 wrote to memory of 488	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	25
PID 2008 wrote to memory of 600	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	24
PID 2008 wrote to memory of 600	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	24
PID 2008 wrote to memory of 600	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	24
PID 2008 wrote to memory of 600	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	24
PID 2008 wrote to memory of 600	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	24
PID 2008 wrote to memory of 600	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	24
PID 2008 wrote to memory of 600	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	24
PID 2008 wrote to memory of 680	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	23
PID 2008 wrote to memory of 680	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	23
PID 2008 wrote to memory of 680	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	23
PID 2008 wrote to memory of 680	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	23
PID 2008 wrote to memory of 680	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	23
PID 2008 wrote to memory of 680	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	23
PID 2008 wrote to memory of 680	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	23
PID 2008 wrote to memory of 768	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	22
PID 2008 wrote to memory of 768	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	22
PID 2008 wrote to memory of 768	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	22
PID 2008 wrote to memory of 768	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	22
PID 2008 wrote to memory of 768	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	22
PID 2008 wrote to memory of 768	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	22
PID 2008 wrote to memory of 768	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	22
PID 2008 wrote to memory of 812	2008	72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe	7

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1340
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1184
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1620
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1240
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1044
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:304
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:336
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:880
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:848
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:768
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2028

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe
  "C:\Users\Admin\AppData\Local\Temp\72a944d1f0bdd0de264a70a9e810138c836cf2f60fdf5d421175caeae1e6b123.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-54-0x0000000001000000-0x0000000001011000-memory.dmp

Filesize
68KB

Download
memory/2008-55-0x0000000001000000-0x0000000001011000-memory.dmp

Filesize
68KB

Download