96c2a28ff80cbd8d0d02cb497273026003ba9b9275619996479c439e6ee9da61

Analysis

max time kernel
311s
max time network
333s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 07:25

Target

96c2a28ff80cbd8d0d02cb497273026003ba9b9275619996479c439e6ee9da61.exe
Size

225KB
MD5

0516e57beb0b7b716f6b5fd138a3a9d6
SHA1

14db1c62a45108b725cec294928c33e12415d900
SHA256

96c2a28ff80cbd8d0d02cb497273026003ba9b9275619996479c439e6ee9da61
SHA512

199662f06bc7106b1164462eb143dc5c7835237689f7a8426d92a603df5779f0d0ca592f2d36b6a75b1b15ed1a4e0485a53bee943e475a409eb781d16fc4ebd6
SSDEEP

3072:XC/sHTUt0pfM90Ckr01V3CdqQFxXWVZJtN7TD3sCSBo+nuikD91L6TrDIJ7YmWt:XC/sHot0p/Q30yJtVgCH+29Uf1

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

ligee.exe

pid process

3168 ligee.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ligee.exe

pid process

3168 ligee.exe
3168 ligee.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ligee.exe

pid process

3168 ligee.exe

pid	process
3168	ligee.exe

pid	process
3168	ligee.exe
3168	ligee.exe

pid	process
3168	ligee.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

96c2a28ff80cbd8d0d02cb497273026003ba9b9275619996479c439e6ee9da61.exeligee.exe

description	pid	process
Token: SeCreateTokenPrivilege	4876	96c2a28ff80cbd8d0d02cb497273026003ba9b9275619996479c439e6ee9da61.exe
Token: SeBackupPrivilege	4876	96c2a28ff80cbd8d0d02cb497273026003ba9b9275619996479c439e6ee9da61.exe
Token: SeSecurityPrivilege	4876	96c2a28ff80cbd8d0d02cb497273026003ba9b9275619996479c439e6ee9da61.exe
Token: SeCreateTokenPrivilege	3168	ligee.exe
Token: SeBackupPrivilege	3168	ligee.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

96c2a28ff80cbd8d0d02cb497273026003ba9b9275619996479c439e6ee9da61.exeligee.exe

description	pid	process	target process
PID 4876 wrote to memory of 3168	4876	96c2a28ff80cbd8d0d02cb497273026003ba9b9275619996479c439e6ee9da61.exe	ligee.exe
PID 4876 wrote to memory of 3168	4876	96c2a28ff80cbd8d0d02cb497273026003ba9b9275619996479c439e6ee9da61.exe	ligee.exe
PID 4876 wrote to memory of 3168	4876	96c2a28ff80cbd8d0d02cb497273026003ba9b9275619996479c439e6ee9da61.exe	ligee.exe
PID 3168 wrote to memory of 2148	3168	ligee.exe	explorer.exe
PID 3168 wrote to memory of 2148	3168	ligee.exe	explorer.exe
PID 3168 wrote to memory of 2148	3168	ligee.exe	explorer.exe

C:\Users\Admin\AppData\Roaming\Efori\ligee.exe
Filesize
225KB

MD5
f87acffdbd19a066747852a4f924d8cc

SHA1
7dda2b025576647a72b368cf4451a1cc94026023

SHA256
913996a11f8a3522b85671ce6b8d8c9485271c1574fb713e13a32585618ed439

SHA512
1634cf6e86d4ca7ff4c9443fe62212ad32d539fe4454ac5db48b0d57661ce72339f753a121ba472ffea8571053e5bd6840cde1635c75fa7dff71d5b00132c2db

Download Submit
C:\Users\Admin\AppData\Roaming\Efori\ligee.exe
Filesize
225KB

MD5
f87acffdbd19a066747852a4f924d8cc

SHA1
7dda2b025576647a72b368cf4451a1cc94026023

SHA256
913996a11f8a3522b85671ce6b8d8c9485271c1574fb713e13a32585618ed439

SHA512
1634cf6e86d4ca7ff4c9443fe62212ad32d539fe4454ac5db48b0d57661ce72339f753a121ba472ffea8571053e5bd6840cde1635c75fa7dff71d5b00132c2db

Download Submit
memory/2148-141-0x0000000000000000-mapping.dmp

Download
memory/2148-142-0x0000000001090000-0x00000000010BD000-memory.dmp

Filesize
180KB

Download
memory/3168-135-0x0000000000000000-mapping.dmp

Download
memory/3168-138-0x00000000022A0000-0x0000000002335000-memory.dmp

Filesize
596KB

Download
memory/3168-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4876-132-0x0000000002470000-0x0000000002505000-memory.dmp

Filesize
596KB

Download
memory/4876-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download