be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc

Analysis

max time kernel
275s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 00:36

Target

be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
Size

2.1MB
MD5

3329f833ac31ac3878721f49e181393d
SHA1

47b79d529e61c1b41c27a53b9c0e886a6f50a1df
SHA256

be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc
SHA512

29d2bb7cd8fcbd22dd6116ca3a75396bd045e9ad5b38cf3a699d4cdb0597e4b86af82662c11dbc8e0c266258fa648ac26768f111cc865f062e989c3055e5c95f
SSDEEP

24576:ptKb3axCoJgKuA0p1kXH2YNRRWH15ZYSR3T1i2UsDHMZWlZUgbVi0TD5mYbt7E:E3eCauJEN+nZYSp1i2UsQKZUaiqUCx

Score

6^/10

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
File opened for modification	C:\Windows\assembly	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
File created	C:\Windows\assembly\Desktop.ini	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3456	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
3456	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
3456	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
3456	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
3456	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3456	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 3772	3456	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	81
PID 3456 wrote to memory of 3772	3456	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	81
PID 3456 wrote to memory of 3772	3456	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	81

C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
"C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
  2⤵
  PID:3772

C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat

Filesize
70B

MD5
23f72401196919748c14cb64c1d55c3b

SHA1
869e3809cb4391e6f5aee5349a871e40a1e1fb22

SHA256
d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

SHA512
2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

Download Submit
memory/3456-132-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3456-133-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download