66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
Size

158KB
MD5

485fa0b2097ba0ba39b36db0c42e5e40
SHA1

6feb4536750d596f4752d08c79dfbe0aa3da3d9b
SHA256

66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535
SHA512

a9bcc2d8f78e9a980b67e2f7c827fb9231d88d588b7985ad7e96a26ee1f8efb3448ed7d705c1ba61fd7901182f390cd368ad81adb3d404fcb6ee0f56b11d57b7
SSDEEP

3072:GYd4SauvASFAICgKOKaeqUKOpVk/qfWJTfS1n37My6WJh00d:GYd4SseKRaeqUp3WJrMA4h0y

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 368	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	5
PID 1512 wrote to memory of 368	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	5
PID 1512 wrote to memory of 368	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	5
PID 1512 wrote to memory of 368	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	5
PID 1512 wrote to memory of 368	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	5
PID 1512 wrote to memory of 368	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	5
PID 1512 wrote to memory of 380	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	4
PID 1512 wrote to memory of 380	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	4
PID 1512 wrote to memory of 380	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	4
PID 1512 wrote to memory of 380	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	4
PID 1512 wrote to memory of 380	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	4
PID 1512 wrote to memory of 380	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	4
PID 1512 wrote to memory of 416	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	3
PID 1512 wrote to memory of 416	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	3
PID 1512 wrote to memory of 416	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	3
PID 1512 wrote to memory of 416	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	3
PID 1512 wrote to memory of 416	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	3
PID 1512 wrote to memory of 416	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	3
PID 1512 wrote to memory of 464	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	2
PID 1512 wrote to memory of 464	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	2
PID 1512 wrote to memory of 464	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	2
PID 1512 wrote to memory of 464	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	2
PID 1512 wrote to memory of 464	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	2
PID 1512 wrote to memory of 464	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	2
PID 1512 wrote to memory of 472	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	1
PID 1512 wrote to memory of 472	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	1
PID 1512 wrote to memory of 472	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	1
PID 1512 wrote to memory of 472	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	1
PID 1512 wrote to memory of 472	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	1
PID 1512 wrote to memory of 472	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	1
PID 1512 wrote to memory of 480	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	8
PID 1512 wrote to memory of 480	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	8
PID 1512 wrote to memory of 480	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	8
PID 1512 wrote to memory of 480	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	8
PID 1512 wrote to memory of 480	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	8
PID 1512 wrote to memory of 480	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	8
PID 1512 wrote to memory of 588	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	25
PID 1512 wrote to memory of 588	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	25
PID 1512 wrote to memory of 588	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	25
PID 1512 wrote to memory of 588	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	25
PID 1512 wrote to memory of 588	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	25
PID 1512 wrote to memory of 588	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	25
PID 1512 wrote to memory of 668	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	9
PID 1512 wrote to memory of 668	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	9
PID 1512 wrote to memory of 668	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	9
PID 1512 wrote to memory of 668	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	9
PID 1512 wrote to memory of 668	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	9
PID 1512 wrote to memory of 668	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	9
PID 1512 wrote to memory of 752	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	10
PID 1512 wrote to memory of 752	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	10
PID 1512 wrote to memory of 752	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	10
PID 1512 wrote to memory of 752	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	10
PID 1512 wrote to memory of 752	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	10
PID 1512 wrote to memory of 752	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	10
PID 1512 wrote to memory of 816	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	11
PID 1512 wrote to memory of 816	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	11
PID 1512 wrote to memory of 816	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	11
PID 1512 wrote to memory of 816	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	11
PID 1512 wrote to memory of 816	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	11
PID 1512 wrote to memory of 816	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	11
PID 1512 wrote to memory of 840	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	24
PID 1512 wrote to memory of 840	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	24
PID 1512 wrote to memory of 840	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	24
PID 1512 wrote to memory of 840	1512	66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe	24

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:752
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1172
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:884
- - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:1416
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1036
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1288
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:968
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1108
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1100
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:328
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:840
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "428094925-12855440941120322652-18436595881736559468801510243-755531565540735492"
  2⤵
  PID:1360

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe
  "C:\Users\Admin\AppData\Local\Temp\66a528a731664f52d40239837e81a9ea158e990b0d0f8e4c895d0510cd01e535.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1512-55-0x0000000001000000-0x0000000001030000-memory.dmp

Filesize
192KB

Download