2e25487afa59800e53d9116f10d01ffda44326f446966fda4b6d667ee90d4c4f | Triage

Analysis

max time kernel
889s
max time network
893s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-12-2022 04:56

Sharing

Report Analysis Logs

General

Target

SetupMain.exe
Size

10.0MB
MD5

720296d00845e149a57a103201f09e2a
SHA1

edf79f7aca5adb29404db3ae2afbe0fbbbee8eef
SHA256

2e25487afa59800e53d9116f10d01ffda44326f446966fda4b6d667ee90d4c4f
SHA512

787b56281a6c23219da2db25ede4f90e0836508d92d20dc0bd6b14a66a9feedba38ce62bec119c9ca76001c5548e3f4153211e681f4ee05a8c134c1f85961324
SSDEEP

196608:3K48YbtSvdrmS+0EDHqJA6tisNJjZiODHc:3KcbtSvdr1qH0pt3NJViUHc

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1580 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1580 powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SetupMain.exe

description	pid	process	target process
PID 1416 wrote to memory of 1580	1416	SetupMain.exe	powershell.exe
PID 1416 wrote to memory of 1580	1416	SetupMain.exe	powershell.exe
PID 1416 wrote to memory of 1580	1416	SetupMain.exe	powershell.exe
PID 1416 wrote to memory of 1580	1416	SetupMain.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\SetupMain.exe
"C:\Users\Admin\AppData\Local\Temp\SetupMain.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1416-54-0x0000000000BF0000-0x0000000001470000-memory.dmp

Filesize
8.5MB

Download
memory/1416-55-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1580-56-0x0000000000000000-mapping.dmp

Download
memory/1580-58-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-59-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download