Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 07:58
Static task
static1
Behavioral task
behavioral1
Sample
7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe
Resource
win10v2004-20220901-en
General
-
Target
7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe
-
Size
1.2MB
-
MD5
3be3c1887150138d2b8b20900b5af92e
-
SHA1
3f4bc4ee99ebd3d1d97146c82b1d9b2a9ff1f3a7
-
SHA256
7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15
-
SHA512
aba5162e0c4f350f1eaf8828f0387a6d496bdb8864bae5e5b4d6d7bde920126619f32f2bb227689054ad4d0a055a849d74ed15208f2561504cec56e1eaa280ca
-
SSDEEP
24576:GIvle7cX8eG1foTS63xQ3wQEX8k3VjyWVADdEPf:GI9e7cXVT3xEEMk30WVVP
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4956 7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe 4956 7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe 5096 powershell.exe 5096 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4956 7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe Token: SeDebugPrivilege 5096 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4956 wrote to memory of 4768 4956 7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe 88 PID 4956 wrote to memory of 4768 4956 7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe 88 PID 4956 wrote to memory of 4768 4956 7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe 88 PID 4768 wrote to memory of 5096 4768 cmd.exe 90 PID 4768 wrote to memory of 5096 4768 cmd.exe 90 PID 4768 wrote to memory of 5096 4768 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe"C:\Users\Admin\AppData\Local\Temp\7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
-