Analysis
-
max time kernel
274s -
max time network
282s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 17:49
Static task
static1
Behavioral task
behavioral1
Sample
5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe
Resource
win10v2004-20221111-en
General
-
Target
5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe
-
Size
1.7MB
-
MD5
30bfef26fc5534fa14f9b49dce1326e1
-
SHA1
77cacad9da906efcd52f04baaf915ffc7f752bf4
-
SHA256
5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90
-
SHA512
025e1576ae92c1873d3747b260ef8344201beceb621f661a0af98012f97df2edc1768ea188e209704be92b09f8c031a3ef9380e5850958d0b7808e3f9d9bffeb
-
SSDEEP
12288:0JFsMWlD6Vw8oL11cbGWwFlbKfKQ+8cG1MHf8Y99LZQW2:0TsMUDlp11zgOF63Y99lQW
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exepid process 224 5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe 224 5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe 224 5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe 224 5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe 224 5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exedescription pid process Token: SeDebugPrivilege 224 5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe Token: 33 224 5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe Token: SeIncBasePriorityPrivilege 224 5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exedescription pid process target process PID 224 wrote to memory of 5000 224 5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe cmd.exe PID 224 wrote to memory of 5000 224 5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe cmd.exe PID 224 wrote to memory of 5000 224 5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe"C:\Users\Admin\AppData\Local\Temp\5aaa85cd2b644c641ebd2e5f42d11229f46314a4cfea47268d9565ff99c72f90.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat2⤵