Analysis

  • max time kernel
    10s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2022 15:22

General

  • Target

    115df9ceb90e6811d86c4c8c4c1765dbe405be5a833d08e5b47446dd179db4ee.exe

  • Size

    164KB

  • MD5

    83559b91b08442e36b42f8be35e8b020

  • SHA1

    f9363079bf42bd1a35c0b111126d861de77d11c6

  • SHA256

    115df9ceb90e6811d86c4c8c4c1765dbe405be5a833d08e5b47446dd179db4ee

  • SHA512

    addb98d5e9494937d1ce1becee1f0c31b653a7d8c181601a4981f18c07ed6095853731db4c9fe66288d321c2d6cf731bf1021948b0286af227bf04be4feb5c36

  • SSDEEP

    3072:0EsUqjkvgA2rROXqDvZ4e/hCL3CQ9vnkuOfpYoizXKv6tF/JQEgUlmy7h/:OpjqgAXsR4e5CL3C+vdOfppIXKSNrp0s

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:480
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:464
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
          2⤵
            PID:748
          • C:\Windows\system32\sppsvc.exe
            C:\Windows\system32\sppsvc.exe
            2⤵
              PID:1268
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
              2⤵
                PID:1272
              • C:\Windows\system32\taskhost.exe
                "taskhost.exe"
                2⤵
                  PID:1116
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  2⤵
                    PID:1068
                  • C:\Windows\System32\spoolsv.exe
                    C:\Windows\System32\spoolsv.exe
                    2⤵
                      PID:368
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      2⤵
                        PID:276
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        2⤵
                          PID:872
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:828
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                            2⤵
                              PID:792
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:668
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:592
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:420
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:384
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:372
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:488
                                      • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                        wmiadap.exe /F /T /R
                                        1⤵
                                          PID:112
                                        • C:\Windows\Explorer.EXE
                                          C:\Windows\Explorer.EXE
                                          1⤵
                                            PID:1256
                                            • C:\Users\Admin\AppData\Local\Temp\115df9ceb90e6811d86c4c8c4c1765dbe405be5a833d08e5b47446dd179db4ee.exe
                                              "C:\Users\Admin\AppData\Local\Temp\115df9ceb90e6811d86c4c8c4c1765dbe405be5a833d08e5b47446dd179db4ee.exe"
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious behavior: MapViewOfSection
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:1904
                                          • C:\Windows\system32\Dwm.exe
                                            "C:\Windows\system32\Dwm.exe"
                                            1⤵
                                              PID:1192

                                            Network

                                            MITRE ATT&CK Matrix

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • memory/1904-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/1904-55-0x0000000000400000-0x000000000042D000-memory.dmp

                                              Filesize

                                              180KB

                                            • memory/1904-56-0x0000000000400000-0x000000000042D000-memory.dmp

                                              Filesize

                                              180KB

                                            We care about your privacy.

                                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.