Overview

overview

10

Static

static

a.exe

windows7-x64

10

a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 07:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a.exe

  • Size

    1.4MB

  • MD5

    8a627782b855f06a3d6d273d11f04f46

  • SHA1

    30570c697533fc3fc7a19ad5d4bc3753f2cf1c0b

  • SHA256

    f0b7a0368fc27d98d42efd4e9c9dd2c252e5fcaaf13ffd67b3c545ec5b1c53e9

  • SHA512

    211fed71bcb75201380921a7de7bf8b88c451a5125f751be616a1775ad3c6a1d59ecc77aa997b053583c1a7d6419e4cfa8ff9bc99d50d1440bf34943d2c1a578

  • SSDEEP

    24576:xirh2DKsuoIj4G6KFined4e5+MRicaRT4D2aKpq9ZEjrTnFOyzhyz:Ir0DfFpG6S68+KaRTWNKpEEfTnF

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a.exe
    "C:\Users\Admin\AppData\Local\Temp\a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -F C:\ProgramData\test.ps1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\test.ps1
    Filesize

    310KB

    MD5

    220e9238b05cb802d63f7d79d11b2a32

    SHA1

    77324ddee92b5ee1c2d50680ea15dd6e28ef402b

    SHA256

    248d8893d926c765d168bd48211650094dbcf8a8988c448f3b271c41bec8ca9d

    SHA512

    748f9149ceaa46789938d66a87dad5c92a9beea65a7c84c07fa42378fdee70b1340d777fcfc78efcd85254660fd4a858fe10bd83464564cde7b12c01ebbcdb7a

    Download Submit
  • memory/2664-132-0x0000000000000000-mapping.dmp
    Download
  • memory/2664-133-0x000001A5FCD50000-0x000001A5FCD72000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2664-135-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2664-136-0x000001A5FD6A0000-0x000001A5FD6B5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/2664-137-0x000001A5FD30A000-0x000001A5FD30F000-memory.dmp
    Filesize

    20KB

    Download
  • memory/2664-138-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp
    Filesize

    10.8MB

    Download