fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff

Analysis

max time kernel
167s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 03:43

Target

fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff.exe
Size

273KB
MD5

e2014d296f03f84f2a7ef0ef9f996243
SHA1

77ef94ded67154b8b98543ec05408a6d14b10a2c
SHA256

fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff
SHA512

ad9c89519d72992b0738a5a44b69f38ef5d47435f2d2f3cb8090cce03d696fc92ab31ad9d9b523fbc14b7cae57c42602664eb9862bc0a2f112cba1e0d825f99e
SSDEEP

6144:wP3OASxV76Gts46GH67IHEMhWPYIwFWk8CtAgKxmTgdIPIAd:wPRJGa7fIc0usAhkgq

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
3120	Exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Exe	fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff.exe
File opened for modification	C:\Windows\Exe	fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff.exe
File opened for modification	C:\Windows\Exe	Exe
File created	C:\Windows\uninstal.bat	fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff.exe
Token: SeDebugPrivilege	3120	Exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 1836	4904	fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff.exe	85
PID 4904 wrote to memory of 1836	4904	fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff.exe	85
PID 4904 wrote to memory of 1836	4904	fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff.exe	85

C:\Users\Admin\AppData\Local\Temp\fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff.exe
"C:\Users\Admin\AppData\Local\Temp\fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:1836

C:\Windows\Exe

Filesize
273KB

MD5
e2014d296f03f84f2a7ef0ef9f996243

SHA1
77ef94ded67154b8b98543ec05408a6d14b10a2c

SHA256
fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff

SHA512
ad9c89519d72992b0738a5a44b69f38ef5d47435f2d2f3cb8090cce03d696fc92ab31ad9d9b523fbc14b7cae57c42602664eb9862bc0a2f112cba1e0d825f99e

Download Submit
C:\Windows\Exe

Filesize
273KB

MD5
e2014d296f03f84f2a7ef0ef9f996243

SHA1
77ef94ded67154b8b98543ec05408a6d14b10a2c

SHA256
fe6015c2605043211f6c1e3a18eef796f3f4339d7e337b020c5272817541e6ff

SHA512
ad9c89519d72992b0738a5a44b69f38ef5d47435f2d2f3cb8090cce03d696fc92ab31ad9d9b523fbc14b7cae57c42602664eb9862bc0a2f112cba1e0d825f99e

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
c7ed4a8963ec9361e5c8c1e7f27f46ff

SHA1
afc9d3e6d6121948082a19ec786b43c61d1f8e03

SHA256
191677adff1a5f8f817880f66b29bad5b049195e31b60738a729e8e4c804c28d

SHA512
2811ad5029c62d504c4a22085b289d0bd1687e8bad9f347567785b9ceedfc7ee904cc0d79105b9d7ecc4aa101c5becc0c6ab89d6f5602c76a5f479b83c14cd48

Download Submit
memory/3120-135-0x0000000000400000-0x00000000004CB011-memory.dmp

Filesize
812KB

Download
memory/4904-132-0x0000000000400000-0x00000000004CB011-memory.dmp

Filesize
812KB

Download
memory/4904-136-0x0000000000400000-0x00000000004CB011-memory.dmp

Filesize
812KB

Download
memory/4904-138-0x0000000000400000-0x00000000004CB011-memory.dmp

Filesize
812KB

Download