dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb

Analysis

max time kernel
2s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:41

Target

dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe
Size

93KB
MD5

43e07a83c129d2773466e666754c051a
SHA1

b230c002d023df16d4e997c1966474e104f0e318
SHA256

dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb
SHA512

7c291f987c91f48743d857db7f6f3abd37089626d8b0369846d5ee50b6927fee51bfeadadea08e5832773a6ae9915996b38c8c06736f93d6d76eaab91496d48e
SSDEEP

1536:+HxCaqYLXJOfEbvdTvqGORq0H/waHXxoqNFcMeYxoPR:+Hx8YL02HamwFDoP

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid process

4364 lsass.exe

pid	process
4364	lsass.exe

Drops startup file 1 IoCs

Processes:

dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

pid process

2456
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

lsass.exeexplorer.exe

pid process

4364 lsass.exe
1032 explorer.exe

pid	process
2456

pid	process
4364	lsass.exe
1032	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exelsass.exe

description	pid	process
Token: SeDebugPrivilege	1260	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe
Token: SeDebugPrivilege	4364	lsass.exe
Token: SeDebugPrivilege	2456

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exelsass.exe

description	pid	process	target process
PID 1260 wrote to memory of 4364	1260	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe	lsass.exe
PID 1260 wrote to memory of 4364	1260	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe	lsass.exe
PID 1260 wrote to memory of 4364	1260	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe	lsass.exe
PID 4364 wrote to memory of 1032	4364	lsass.exe	explorer.exe
PID 4364 wrote to memory of 1032	4364	lsass.exe	explorer.exe

C:\Windows\explorer.exe
C:\Windows\explorer.exe
3⤵
- Suspicious behavior: MapViewOfSection
PID:1032

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
93KB

MD5
43e07a83c129d2773466e666754c051a

SHA1
b230c002d023df16d4e997c1966474e104f0e318

SHA256
dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb

SHA512
7c291f987c91f48743d857db7f6f3abd37089626d8b0369846d5ee50b6927fee51bfeadadea08e5832773a6ae9915996b38c8c06736f93d6d76eaab91496d48e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
93KB

MD5
43e07a83c129d2773466e666754c051a

SHA1
b230c002d023df16d4e997c1966474e104f0e318

SHA256
dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb

SHA512
7c291f987c91f48743d857db7f6f3abd37089626d8b0369846d5ee50b6927fee51bfeadadea08e5832773a6ae9915996b38c8c06736f93d6d76eaab91496d48e

Download Submit
memory/1032-136-0x0000000000000000-mapping.dmp

Download
memory/1032-138-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1260-134-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4364-132-0x0000000000000000-mapping.dmp

Download
memory/4364-137-0x00000000005D0000-0x00000000005F7000-memory.dmp

Filesize
156KB

Download
memory/4364-139-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download