60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf

Analysis

max time kernel
177s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 15:50

Target

60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe
Size

485KB
MD5

0ee6d60f5b2472fd775f0c7ed782ccfc
SHA1

35b668a98560cbe6a0656f99e4623e8c992f836d
SHA256

60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf
SHA512

fd8f1b78601afb43b32a664604acd961102069511f2954a4f010cd6474b90725fb014998c2925b028e53ece159b230b367978c9b20032b04d72c3593036bd7f8
SSDEEP

12288:QFTPB2gQw1TmUfK67NR5LYyz34qz6IeDPAB8xM:gQwdmUfKSNR5kyboIYPAB8

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
736	exploret.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\exploret.exe	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe
File opened for modification	C:\Windows\exploret.exe	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe
File created	C:\Windows\uninstal.Bat	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe
Token: SeDebugPrivilege	736	exploret.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
736	exploret.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 460	736	exploret.exe	80
PID 736 wrote to memory of 460	736	exploret.exe	80
PID 736 wrote to memory of 460	736	exploret.exe	80
PID 4988 wrote to memory of 664	4988	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe	79
PID 4988 wrote to memory of 664	4988	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe	79
PID 4988 wrote to memory of 664	4988	60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe	79

C:\Users\Admin\AppData\Local\Temp\60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe
"C:\Users\Admin\AppData\Local\Temp\60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.Bat
  2⤵
  PID:664

C:\Windows\exploret.exe
C:\Windows\exploret.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:736
- C:\WINDOWS\SysWOW64\SvcHost.eXe
  C:\WINDOWS\system32\SvcHost.eXe
  2⤵
  PID:460

C:\Windows\exploret.exe

Filesize
485KB

MD5
0ee6d60f5b2472fd775f0c7ed782ccfc

SHA1
35b668a98560cbe6a0656f99e4623e8c992f836d

SHA256
60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf

SHA512
fd8f1b78601afb43b32a664604acd961102069511f2954a4f010cd6474b90725fb014998c2925b028e53ece159b230b367978c9b20032b04d72c3593036bd7f8

Download Submit
C:\Windows\exploret.exe

Filesize
485KB

MD5
0ee6d60f5b2472fd775f0c7ed782ccfc

SHA1
35b668a98560cbe6a0656f99e4623e8c992f836d

SHA256
60280e68d271a6d491eae63a6fd80d369bd057c46f596529d3366213b690d4cf

SHA512
fd8f1b78601afb43b32a664604acd961102069511f2954a4f010cd6474b90725fb014998c2925b028e53ece159b230b367978c9b20032b04d72c3593036bd7f8

Download Submit
C:\Windows\uninstal.Bat

Filesize
254B

MD5
414af7057be7c23c9a61314315706f76

SHA1
d635edc7e8e2c2da77d2bf50e0973346f45941fa

SHA256
a715c8fd8c888be733f8b2215d6be810d3fa9dee8a4d52daece7b706cc3cfb2d

SHA512
0831f5f91681f50924694d1e1310cdb5c6e5828406322ac8f5695827183e6211f93e20d0ef743c89554d58c3c07900885fd2a494f08c9df09313e85b2a6073ce

Download Submit
memory/460-134-0x0000000000000000-mapping.dmp

Download
memory/664-135-0x0000000000000000-mapping.dmp

Download