46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4

Analysis

max time kernel
142s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 16:34

Target

46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe
Size

6KB
MD5

cca0a2bfb06bd6f34084d7b3252210c8
SHA1

a5c1616a568659d0e0fbf78f55538bae818c7867
SHA256

46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4
SHA512

eb80b39a28edd834b3f9a62c62106a1e7e130f45cd25c844c9dc345fcd67358a6ff95b08e7b2c03bd6bb62a7193f62a43a29d35ea52438ed7dcf424071a94a04
SSDEEP

96:u9+15vXfuPvmUPg8OCJ1tolwHZDAkiIQsfOLMAdPEcVfknTNbUrV1aTap:GGP2rg8W2ZDr4MuEc1gap

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

taskmgr.exe

pid process

1472 taskmgr.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1572 cmd.exe

pid	process
1472	taskmgr.exe

pid	process
1572	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe

pid	process
2020	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe
2020	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe

Drops file in Program Files directory 3 IoCs

Processes:

46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exetaskmgr.exe

description	ioc	process
File created	C:\Program Files\Windows NT\Accessories\taskmgr.exe	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\taskmgr.exe	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\mswrd4.wpc	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskmgr.exe46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1472	taskmgr.exe
Token: SeDebugPrivilege	1472	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2020	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe

description	pid	process	target process
PID 2020 wrote to memory of 1472	2020	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe	taskmgr.exe
PID 2020 wrote to memory of 1472	2020	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe	taskmgr.exe
PID 2020 wrote to memory of 1472	2020	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe	taskmgr.exe
PID 2020 wrote to memory of 1472	2020	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe	taskmgr.exe
PID 2020 wrote to memory of 1572	2020	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe	cmd.exe
PID 2020 wrote to memory of 1572	2020	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe	cmd.exe
PID 2020 wrote to memory of 1572	2020	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe	cmd.exe
PID 2020 wrote to memory of 1572	2020	46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4.exe	cmd.exe

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\46034E~1.EXE > nul
2⤵
- Deletes itself
PID:1572

C:\Program Files\Windows NT\Accessories\taskmgr.exe
Filesize
6KB

MD5
cca0a2bfb06bd6f34084d7b3252210c8

SHA1
a5c1616a568659d0e0fbf78f55538bae818c7867

SHA256
46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4

SHA512
eb80b39a28edd834b3f9a62c62106a1e7e130f45cd25c844c9dc345fcd67358a6ff95b08e7b2c03bd6bb62a7193f62a43a29d35ea52438ed7dcf424071a94a04

Download Submit
\Program Files\Windows NT\Accessories\taskmgr.exe
Filesize
6KB

MD5
cca0a2bfb06bd6f34084d7b3252210c8

SHA1
a5c1616a568659d0e0fbf78f55538bae818c7867

SHA256
46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4

SHA512
eb80b39a28edd834b3f9a62c62106a1e7e130f45cd25c844c9dc345fcd67358a6ff95b08e7b2c03bd6bb62a7193f62a43a29d35ea52438ed7dcf424071a94a04

Download Submit
\Program Files\Windows NT\Accessories\taskmgr.exe
Filesize
6KB

MD5
cca0a2bfb06bd6f34084d7b3252210c8

SHA1
a5c1616a568659d0e0fbf78f55538bae818c7867

SHA256
46034e7cd85d8ce2c9e0d15d6719287b0bf021c491217fff3637da76347529a4

SHA512
eb80b39a28edd834b3f9a62c62106a1e7e130f45cd25c844c9dc345fcd67358a6ff95b08e7b2c03bd6bb62a7193f62a43a29d35ea52438ed7dcf424071a94a04

Download Submit
memory/1472-56-0x0000000000000000-mapping.dmp

Download
memory/1472-58-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1572-59-0x0000000000000000-mapping.dmp

Download