bb18c7b410172561a4b61af74bab2db4e2120e8c15a28feb676188bac3747d44

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 09:01

Target

a.exe
Size

1.4MB
MD5

8a627782b855f06a3d6d273d11f04f46
SHA1

30570c697533fc3fc7a19ad5d4bc3753f2cf1c0b
SHA256

f0b7a0368fc27d98d42efd4e9c9dd2c252e5fcaaf13ffd67b3c545ec5b1c53e9
SHA512

211fed71bcb75201380921a7de7bf8b88c451a5125f751be616a1775ad3c6a1d59ecc77aa997b053583c1a7d6419e4cfa8ff9bc99d50d1440bf34943d2c1a578
SSDEEP

24576:xirh2DKsuoIj4G6KFined4e5+MRicaRT4D2aKpq9ZEjrTnFOyzhyz:Ir0DfFpG6S68+KaRTWNKpEEfTnF

Score

1^/10

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1660 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1660 powershell.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

a.exe

description pid process target process

PID 5000 wrote to memory of 1660 5000 a.exe powershell.exe
PID 5000 wrote to memory of 1660 5000 a.exe powershell.exe

pid	process
1660	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1660	powershell.exe

description	pid	process	target process
PID 5000 wrote to memory of 1660	5000	a.exe	powershell.exe
PID 5000 wrote to memory of 1660	5000	a.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5000

memory/1660-132-0x0000000000000000-mapping.dmp

Download
memory/1660-133-0x00007FFF7BA40000-0x00007FFF7C501000-memory.dmp

Filesize
10.8MB

Download
memory/1660-134-0x0000025BF6FF0000-0x0000025BF7012000-memory.dmp

Filesize
136KB

Download
memory/1660-135-0x00007FFF7BA40000-0x00007FFF7C501000-memory.dmp

Filesize
10.8MB

Download