7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea

Analysis

max time kernel
150s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 06:08

Target

7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe
Size

356KB
MD5

77c5b14bbb92ded1ffdd415e9624d208
SHA1

0f0a4c2db9e443244db276ae811a266a0561506d
SHA256

7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea
SHA512

ef547cde97de9d06b31c14d6070160e53bf94f73162889a7799651d5d56dc3799c935e6129748ac7c5b7d7659e5177d22c37b5335a377edacb6ea2325eeb9715
SSDEEP

6144:YJXPUF2odfWbeDA0kZtCiyxhrTWLSJxWqwQakUCz6:YtUFybe4YFEAxOQ1Nz

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
2616	tmp56XK.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2616	tmp56XK.exe
2616	tmp56XK.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	tmp56XK.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2616	tmp56XK.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 540	4292	7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe	87
PID 4292 wrote to memory of 540	4292	7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe	87
PID 540 wrote to memory of 2616	540	cmd.exe	89
PID 540 wrote to memory of 2616	540	cmd.exe	89
PID 540 wrote to memory of 2616	540	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe
"C:\Users\Admin\AppData\Local\Temp\7556854937e56f78fec5ef3eb642edcb1cec454198acf4c012bf369f66bb71ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c cd %temp% & start /B tmp56XK.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\tmp56XK.exe
    tmp56XK.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2616

C:\Users\Admin\AppData\Local\Temp\tmp56XK.exe

Filesize
280KB

MD5
6da6e11cf900c0825092b8e5c4cddde4

SHA1
b5f8461b74d432fad52de4d5d346da28a7f20e01

SHA256
f46162f715956e398a2e45babecc9b0407d3a7eba21f968009033457876627bf

SHA512
1130e21be836d1884fe4f4b543c692b4dbae8a911dd83a2e6cb79079e69e20234e682d08b488309d5dadf0e48d82709a10140f64f36a85defe0be288bc9ab672

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp56XK.exe

Filesize
280KB

MD5
6da6e11cf900c0825092b8e5c4cddde4

SHA1
b5f8461b74d432fad52de4d5d346da28a7f20e01

SHA256
f46162f715956e398a2e45babecc9b0407d3a7eba21f968009033457876627bf

SHA512
1130e21be836d1884fe4f4b543c692b4dbae8a911dd83a2e6cb79079e69e20234e682d08b488309d5dadf0e48d82709a10140f64f36a85defe0be288bc9ab672

Download Submit
memory/2616-139-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2616-140-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/4292-132-0x0000000000F70000-0x0000000000FD2000-memory.dmp

Filesize
392KB

Download
memory/4292-133-0x00007FF9C1520000-0x00007FF9C1FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-134-0x00007FF9C1520000-0x00007FF9C1FE1000-memory.dmp

Filesize
10.8MB

Download