f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd

Analysis

max time kernel
34s
max time network
72s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 07:11

Target

f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd.exe
Size

168KB
MD5

6b78eabbf7f9d460ddcbc2af36bf9001
SHA1

b9bb67437360d9a2959b08da33af355d579b8952
SHA256

f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd
SHA512

b3f8bdf69c0a4e94b72bc2e9de72065823293da6d25aac12293dae27a3f43f36522206ebe76af9d2d6af0a35acd4a4572dd08ed892d48212352899bed394729f
SSDEEP

3072:S/Zb2zT9plWJnVRwouPQ2broqM2jordjQ6RDlSfQEjuoY5/k6UxWdW4dlRWRkrVw:qZbykRWPQPqJUrv1lSCT5bo4NWSkFl

Score

7^/10

Deletes itself 1 IoCs

pid	Process
516	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 516	2008	f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2008	f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd.exe
2008	f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 516	2008	f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd.exe	28
PID 2008 wrote to memory of 516	2008	f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd.exe	28
PID 2008 wrote to memory of 516	2008	f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd.exe	28
PID 2008 wrote to memory of 516	2008	f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd.exe	28
PID 2008 wrote to memory of 516	2008	f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd.exe	28

C:\Users\Admin\AppData\Local\Temp\f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd.exe
"C:\Users\Admin\AppData\Local\Temp\f402d2c4854a7bef75ea22238ba29b080731d7fbcd168c7644bc8201962b13bd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:516

memory/2008-54-0x0000000000510000-0x000000000052E000-memory.dmp

Filesize
120KB

Download
memory/2008-56-0x00000000003C0000-0x00000000003C4000-memory.dmp

Filesize
16KB

Download
memory/2008-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2008-60-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2008-61-0x0000000000510000-0x000000000052E000-memory.dmp

Filesize
120KB

Download
memory/2008-65-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/2008-66-0x0000000000510000-0x000000000052E000-memory.dmp

Filesize
120KB

Download